2024 FRM 


Exam Prep 


SchweserNotes” 


Foundations of Risk Management 


Kaplan Schweser's Path to Success 


FRM® Exam Part | 


Welcome 


As the head of Advanced Designations at Kaplan Schweser, I am pleased to have the 
opportunity to help you prepare for the FRM® exam. Kaplan Schweser has decades 
of experience in delivering the most effective FRM exam prep products in the 
market and I know you will find them to be invaluable in your studies. 


Our products are designed to be an integrated study solution across print and digital 
media to provide you with the best learning experience, whether you are studying 
with a physical book, online, or on your mobile device. 


Our core product, the SchweserNotes’ , addresses all Topic Areas, Readings, and 
Learning Objectives in the FRM curriculum. Each reading in the SchweserNotes has 
been broken into smaller, bite-sized modules with Module Quizzes interspersed 
throughout to help you continually assess your comprehension. Topic Quizzes and 
Checkpoint Exams appear online to help you gauge your knowledge of the material 
before you move on to the next section. 


All purchasers of the SchweserNotes receive online access to the Kaplan Schweser 
online platform (our learning management system or LMS) at www.Schweser.com. In 
the LMS, you will see a dashboard that tracks your overall progress and 
performance as well as an Activity Feed, which provides structure and organization 
to the tasks required to prepare for the FRM exam. You also have access to the 
online versions of the SchweserNotes and Module Quizzes. Look for the icons 
indicating where Module Quizzes are available online. I strongly encourage you to 
enter your Module Quiz answers online and use the dashboard to track your progress 
and stay motivated. 


Again, thank you for trusting Kaplan Schweser with your FRM exam preparation. 
We're here to help you throughout your journey to become a certified Financial Risk 
Manager. 


Regards, 


rielo Vinrrtac hd 


Derek Burkett, CFA, FRM, CAIA 
Vice President (Advanced Designations) 


Contact us for questions about your study package, upgrading your package, purchasing 
additional study materials, or for additional information: 


888.325.5072 (U.S.) | +1 608.779.8327 (Int'l.) 


staff@schweser.com | www.schweser.com/frm 


Book 1: Foundations of Risk 
Management 


SchweserNotes 2024 


FRM Part I 


KAPLAN) SCHWESER 


SCHWESERNOTES!™ 2024 FRM® PART I BOOK 1: FOUNDATIONS OF RISK MANAGEMENT 
©2024 Kaplan, Inc. All rights reserved. 


Published in 2024 by Kaplan, Inc. 


ISBN: 978-1-0788-4239-6 


Required Disclaimer: GARP® does not endorse, promote, review, or warrant the accuracy of the products 
or services offered by Kaplan Schweser of FRM® related information, nor does it endorse any pass rates 
claimed by the provider. Further, GARP® is not responsible for any fees or costs paid by the user to 
Kaplan Schweser, nor is GARP® responsible for any fees or costs of any person or entity providing any 
services to Kaplan Schweser. FRM®, GARP®, and Global Association of Risk Professionals'™ are 
trademarks owned by the Global Association of Risk Professionals, Inc. 


These materials may not be copied without written permission from the author. The unauthorized duplication of 
these notes is a violation of global copyright laws. Your assistance in pursuing potential violators of this law is 
greatly appreciated. 


Disclaimer: The SchweserNotes should be used in conjunction with the original readings as set forth by GARP®. 
The information contained in these books is based on the original readings and is believed to be accurate. 
However, their accuracy cannot be guaranteed nor is any warranty conveyed as to your ultimate exam success. 


WELCOME TO THE 2024 
SCHWESERNOTES 


Thank you for trusting Kaplan Schweser to help you reach your career and educational 
goals. We are very pleased to be able to help you prepare for the FRM Part I exam. In 
this introduction, I want to explain the resources included with the SchweserNotes, 
suggest how you can best use Kaplan Schweser materials to prepare for the exam, and 
direct you toward other educational resources you will find helpful as you study for the 
exam. 


SchweserNotes 


The SchweserNotes consist of four volumes that include complete coverage of all FRM 
assigned readings and learning objectives as well as module quizzes (multiple-choice 
questions for every reading) to help you master the material and check your retention 
of key concepts. 


Practice Questions 


To retain the material, it is important to quiz yourself often. We offer an online version 
of the SchweserPro” QBank, which contains hundreds of Part I practice questions and 
explanations. We also offer Topic Quizzes and Checkpoint Exams online to further help 
you retain and apply what you have learned. 


Mock Exams 


Schweser offers four full 4-hour, 100-question practice exams. These online exams are 
important tools for gaining the speed and skills you will need to pass the exam. The 
Mock Exams contain answers with full explanations for self-grading and evaluation. 


OnDemand Class 


Our OnDemand Class provides comprehensive online instruction of every reading in 
the FRM curriculum. This video lecture series brings the personal attention of a 
classroom into your home or office with over 30 hours of instruction. The class offers 
in-depth coverage of difficult concepts as well as a discussion of sample exam 
questions. All videos are available for viewing at any time throughout the season. 
Candidates enrolled in the OnDemand Class also have the ability to email questions to 
the instructor at any time. 


Late-Season Review 

Late-season review and exam practice can make all the difference. Our OnDemand 
Review Package helps you evaluate your exam readiness with products specifically 
designed for late-season studying. This study package includes the OnDemand Review 


(8-hour archived online workshop covering essential curriculum topics) and 
Schweser’s Secret Sauce® (concise summary of the FRM curriculum). 


Part I Exam Weightings 


When preparing for the exam, be familiar with the weights assigned to each topic area 
within the curriculum. The Part I exam weights and questions are as follows: 


Book Topic Area Exam Weight Exam Questions 
I Foundations of Risk Management 20% 20 
2 Quantitative Analysis 20% 20 
3 Financial Markets and Products 30% 30 
4 Valuation and Risk Models 30% 30 


How to Succeed 


The FRM Part I exam is a formidable challenge (covering 62 assigned readings and 
almost 500 learning objectives), so you must devote considerable time and effort to be 
properly prepared. There are no shortcuts! You must learn the material, know the 
terminology and techniques, understand the concepts, and be able to answer 100 
multiple-choice questions quickly and (at least 70%) correctly. A good estimate of the 
study time required is 275 hours on average, but some candidates will need more or 
less time, depending on their individual backgrounds and experience. 


Expect the Global Association of Risk Professionals (GARP) to test your knowledge ina 
way that will reveal how well you know the Part I curriculum. You should begin 
studying early and stick to your study plan. You should first read the SchweserNotes 
and complete the practice questions for each reading. After completing each book, you 
should answer the provided topic quiz questions to understand how concepts may be 
tested on the exam. 


It is recommended that you finish your initial study of the entire curriculum at least 
two weeks (earlier if possible) prior to your exam window to allow sufficient time for 
practice and targeted review. During this period, you should take all of your Schweser 
Mock Exams. This final review period is when you will get a clear indication of how 
effective your study efforts have been and which readings require significant additional 
review. Answering exam-like questions across all readings and working on your exam 
time management skills will be important determinants of your success on exam day. 


Best regards, 


Erie Shah 


Eric Smith, CFA, FRM, FDP 
Director, Advanced Designations 
Kaplan Schweser 


CONTENTS 


Readings and Learning Objectives 


STUDY SESSION 1—Risk Management Overview 


READING 1 
The Building Blocks of Risk Management 


Exam Focus 

Module 1.1: Introduction to Risk Management 
Module 1.2: Types of Risk 

Key Concepts 

Answer Key for Module Quizzes 


READING 2 
How Do Firms Manage Financial Risk? 


Exam Focus 

Module 2.1: Corporate Risk Management 

Module 2.2: Risk Management Methods and Instruments 
Key Concepts 

Answer Key for Module Quizzes 


READING 3 
The Governance of Risk Management 


Exam Focus 

Module 3.1: Corporate Governance and Risk Management 
Module 3.2: Risk Governance Implementation 

Key Concepts 

Answer Key for Module Quizzes 


READING 4 
Credit Risk Transfer Mechanisms 


Exam Focus 

Module 4.1: Credit Risk Transfer 
Key Concepts 

Answer Key for Module Quizzes 


STUDY SESSION 2—Pricing Models and Enterprise Risk Management 


READING 5 
Modern Portfolio Theory and the Capital Asset Pricing Model 


Exam Focus 

Module 5.1: Modern Portfolio Theory and the Capital Market Line 
Module 5.2: Deriving and Applying the Capital Asset Pricing Model 
Module 5.3: Performance Evaluation Measures 

Key Concepts 

Answer Key for Module Quizzes 


READING 6 
The Arbitrage Pricing Theory and Multifactor Models of Risk and Return 


Exam Focus 

Module 6.1: Multifactor Model Assumptions and Inputs 
Module 6.2: Applying Multifactor Models 

Key Concepts 

Answer Key for Module Quizzes 


READING 7 
Principles for Effective Data Aggregation and Risk Reporting 


Exam Focus 

Module 7.1: Data Quality, Governance, and Infrastructure 
Module 7.2: Risk Data Aggregation and Reporting Capabilities 
Key Concepts 

Answer Key for Module Quizzes 


READING 8 
Enterprise Risk Management and Future Trends 


Exam Focus 

Module 8.1: Enterprise Risk Management 
Module 8.2: Risk Culture and Scenario Analysis 
Key Concepts 

Answer Key for Module Quizzes 


STUDY SESSION 3—Case Studies and Code of Conduct 


READING 9 
Learning from Financial Disasters 


Exam Focus 

Module 9.1: Case Studies on Interest Rate Risk, Liquidity Risk, and Hedging 
Strategy 

Module 9.2: Case Studies on Model Risk and Rogue Trading 

Module 9.3: Case Studies on Financial Engineering, Reputation Risk, Corporate 
Governance, and Cyber Risk 

Key Concepts 

Answer Key for Module Quizzes 


READING 10 


Anatomy of the Great Financial Crisis of 2007-2009 


Exam Focus 

Module 10.1: The Global Financial Crisis 
Key Concepts 

Answer Key for Module Quizzes 


READING 11 
GARP Code of Conduct 
Exam Focus 


Module 11.1: GARP Code of Conduct 
Answer Key for Module Quizzes 


Formulas 
Index 


Readings and Learning Objectives 


STUDY SESSION 1 


1. The Building Blocks of Risk Management 


Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 
Pearson, 2023. Chapter 1. 


After completing this reading, you should be able to: 

a. explain the concept of risk and compare risk management with risk taking. 

b. evaluate, compare, and apply tools and procedures used to measure and manage risk, including 

quantitative measures, qualitative risk assessment techniques, and enterprise risk management. 

c. distinguish between expected loss and unexpected loss and provide examples of each. 

d. interpret the relationship between risk and reward and explain how conflicts of interest can 
impact risk management. 

. describe and differentiate between the key classes of risks, explain how each type of risk can 
arise, and assess the potential impact of each type of risk on an organization. 


explain how risk factors can interact with each other and describe challenges in aggregating risk 
exposures. 


ie) 


m 


2. How Do Firms Manage Financial Risk? 


Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 
Pearson, 2023. Chapter 2. 


After completing this reading, you should be able to: 

a. compare different strategies a firm can use to manage its risk exposures and explain situations in 
which a firm would want to use each strategy. 

b. explain the relationship between risk appetite and a firm’s risk management decisions. 

c. evaluate some advantages and disadvantages of hedging risk exposures and explain challenges 
that can arise when implementing a hedging strategy. 


d. apply appropriate methods to hedge operational and financial risks, including pricing, foreign 
currency, and interest rate risk. 


e. assess the impact of risk management tools and instruments, including risk limits and 
derivatives. 


3. The Governance of Risk Management 
Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 
Pearson, 2023. Chapter 3. 
After completing this reading, you should be able to: 


a. explain changes in regulations and corporate risk governance that occurred as a result of the 
2007-2009 financial crisis. 

b. describe best practices for the governance of a firm’s risk management processes. 
explain the risk management role and responsibilities of a firm’s board of directors. 

. evaluate the relationship between a firm’s risk appetite and its business strategy, including the 
role of incentives. 

. illustrate the interdependence of functional units within a firm as it relates to risk management. 
assess the role and responsibilities of a firm’s audit committee. 


an 


™m Oo 


4. Credit Risk Transfer Mechanisms 
Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 
Pearson, 2023. Chapter 4. 
After completing this reading, you should be able to: 


a. compare different types of credit derivatives, explain their applications, and describe their 
advantages. 


b. explain different traditional approaches or mechanisms that firms can use to help mitigate credit 
risk. 


c. evaluate the role of credit derivatives in the 2007-2009 financial crisis and explain changes in the 
credit derivative market that occurred as a result of the crisis. 


d. explain the process of securitization, describe a special purpose vehicle (SPV), and assess the risk 
of different business models that banks can use for securitized products. 


STUDY SESSION 2 


5. Modern Portfolio Theory and the Capital Asset Pricing Model 


Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 
Pearson, 2023. Chapter 5. 


After completing this reading, you should be able to: 

a. explain Modern Portfolio Theory and interpret the Markowitz efficient frontier. 

b. understand the derivation and components of the CAPM. 

c. describe the assumptions underlying the CAPM. 

d. interpret and compare the capital market line and the security market line. 

e. apply the CAPM in calculating the expected return on an asset. 

f. interpret beta and calculate the beta of a single asset or portfolio. 

g. calculate, compare, and interpret the following performance measures: the Sharpe performance 


index, the Treynor performance index, the Jensen performance index, the tracking error, 
information ratio, and Sortino ratio. 


6. The Arbitrage Pricing Theory and Multifactor Models of Risk and Return 


Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 
Pearson, 2023. Chapter 6. 
After completing this reading, you should be able to: 


a. explain the Arbitrage Pricing Theory (APT), describe its assumptions, and compare the APT to 
the CAPM. 


b. describe the inputs, including factor betas, to a multifactor model and explain the challenges of 
using multifactor models in hedging. 

c. calculate the expected return of an asset using a single-factor and a multifactor model. 

d. explain how to construct a portfolio to hedge exposure to multiple factors. 

e. describe and apply the Fama-French three-factor model in estimating asset returns. 


7. Principles for Effective Data Aggregation and Risk Reporting 


8. 


Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 
Pearson, 2023. Chapter 7. 


After completing this reading, you should be able to: 

a. explain the potential benefits of having effective risk data aggregation and reporting. 

b. explain challenges to the implementation of a strong risk data aggregation and reporting process 
and the potential impacts of using poor-quality data. 


. describe key governance principles related to risk data aggregation and risk reporting. 


d. describe characteristics of effective data architecture, IT infrastructure, and risk-reporting 
practices. 


a 


Enterprise Risk Management and Future Trends 

Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 

Pearson, 2023. Chapter 8. 

After completing this reading, you should be able to: 

a. describe Enterprise Risk Management (ERM) and compare an ERM program with a traditional 
silo-based risk management program. 

b. describe the motivations for a firm to adopt an ERM initiative. 

c. explain best practices for the governance and implementation of an ERM program. 

d. describe risk culture, explain the characteristics of a strong corporate risk culture, and describe 
challenges to the establishment of a strong risk culture at a firm. 


e. explain the role of scenario analysis in the implementation of an ERM program and describe its 
advantages and disadvantages. 


f. explain the use of scenario analysis in stress testing programs and capital planning. 


STUDY SESSION 3 


9: 


10. 


11. 


Learning from Financial Disasters 
Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 
Pearson, 2023. Chapter 9. 
After completing this reading, you should be able to: 
a. analyze the following factors that contributed to the given case studies of financial disasters and 
examine the key lessons learned from these case studies: 
= Interest rate risk, including the 1980s savings and loan crisis in the US. 
= Funding liquidity risk, including Lehman Brothers, Continental Illinois, and Northern Rock. 
= Constructing and implementing a hedging strategy, including the Metallgesellschaft case. 
= Model risk, including the Niederhoffer case, Long Term Capital Management, and the London 
Whale case. 
= Rogue trading and misleading reporting, including the Barings case. 
= Financial engineering, including Bankers Trust, the Orange County case, and Sachsen 
Landesbank. 
= Reputation risk, including the Volkswagen case. 
= Corporate governance, including the Enron case. 
a Cyber risk, including the SWIFT case. 


Anatomy of the Great Financial Crisis of 2007-2009 
Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 
Pearson, 2023. Chapter 10. 


After completing this reading, you should be able to: 

a. describe the historical background and provide an overview of the 2007-2009 financial crisis. 

b. describe the build-up to the financial crisis and the factors that played an important role. 

c. explain the role of subprime mortgages and collateralized debt obligations (CDOs) in the crisis. 

d. compare the roles of different types of institutions in the financial crisis, including banks, 
financial intermediaries, mortgage brokers and lenders, and rating agencies. 

e. describe trends in the short-term wholesale funding markets that contributed to the financial 
crisis, including their impact on systemic risk. 

f. describe responses made by central banks in response to the crisis. 


GARP Code of Conduct 

Global Association of Risk Professionals. Foundations of Risk Management. New York, NY: 
Pearson, 2023. Chapter 11. 

After completing this reading, you should be able to: 

a. describe the responsibility of each GARP Member with respect to professional integrity, ethical 


conduct, conflicts of interest, confidentiality of information, and adherence to generally accepted 
practices in risk management. 


b. describe the potential consequences of violating the GARP Code of Conduct. 


The following is a review of the Foundations of Risk Management principles designed to address the learning 
objectives set forth by GARP®. Cross-reference to GARP FRM Part I Foundations of Risk Management, Chapter 1. 


READING 1 


THE BUILDING BLOCKS OF RISK 
MANAGEMENT 


Study Session 1 


EXAM FOCUS 


This introductory reading provides coverage of fundamental risk management concepts 
that will be discussed in much more detail throughout the FRM curriculum. For the 
exam, it is important to understand the general risk management process and its 
potential shortcomings, the concept of unexpected loss, and some of the underlying 
points regarding the relationship between risk and reward. Also, the material on the 
main categories of financial and nonfinancial risks contains several testable concepts. 


MODULE 1.1: INTRODUCTION TO RISK MANAGEMENT 


LO 1.a: Explain the concept of risk and compare risk management with risk 
taking. 


In an investing context, risk is the uncertainty surrounding outcomes. Investors are 
generally more concerned about negative outcomes (unexpected investment losses) 
than they are about positive surprises (unexpected investment gains). Additionally, 
there is an observed natural trade-off between risk and return; opportunities with high 
risk have the potential for high returns and those with lower risk also have lower 
return potential. 


Risk is not necessarily related to the size of the potential loss. For example, many 
potential losses are large but are quite predictable and can be accounted for using risk 
management techniques. The more important concern is the variability of the loss, 
especially an unexpected loss that could rise to unexpectedly high levels. 


As a Starting point, risk management includes the sequence of activities aimed to 
reduce or eliminate an entity’s potential to incur expected losses. On top of that, there 
is the need to manage the unexpected variability of some costs. In managing both 
expected and unexpected losses, risk management can be thought of as a defensive 
technique. However, risk management is actually broader in the sense that it considers 


how an entity can consciously determine how much risk it is willing to take to earn 
future uncertain returns. The concept of risk taking refers to the active acceptance of 
incremental risk in the pursuit of incremental gains. In this context, risk taking can be 
thought of as an opportunistic action. 


The Risk Management Process 

The risk management process is a formal series of actions designed to determine if 
the perceived reward justifies the expected risks. A related query is whether the risks 
could be reduced and still provide an approximately similar reward. 


There are several core building blocks in the risk management process. They are as 
follows: 


1. Identify risks. 

2. Measure and manage risks. 

3. Distinguish between expected and unexpected risks. 

4. Address the relationships among risks. 

5. Develop a risk mitigation strategy. 

6. Monitor the risk mitigation strategy and adjust as needed. 


Risk managers can deploy several methods to identify relevant risks. The various types 
of risk are discussed later in this reading, but for now, focus on the identification 
process. One method to identify risks is brainstorming, which involves soliciting from 
key business leaders all potential known risks influencing their supervision area. These 
key leaders may also survey their subordinates (and especially frontline personnel) for 
a deeper understanding of relevant risks. There may be industry-level resources (e.g, 
regulatory standards, industry surveys, or expert opinions) that are also available. For a 
more quantitative approach, a risk manager can analyze actual loss data to discern the 
magnitudes and frequency of various losses. Scenario analysis is another common tool 
used for identifying risks. 


Part of the risk identification process is to filter risks into degrees of being known or 
unknown. Figure 1.1 illustrates that risks can move along a spectrum from being 
expected (i.e. known) to being fully unknown. The unknown category can be subdivided 
into the known unknowns (i.e., Knightian uncertainty) and the unknown unknowns. The 
former are items that may impact a firm, while the latter are truly unknown (i.e., tail 
risk events). Where possible, risk managers should move a risk into the known 
category, but this does not work for risks that cannot be quantified. 


Figure 1.1: Loss Categories 


we > 


Unknown 
unknowns 


Known unknowns 
f — \ 
| | 
| | 


Unexpected loss 


Expected loss 


The risk management process involves a four-way decision. The company might decide 
to avoid risk directly by selling a product line, avoiding certain markets or 
jurisdictions, or offshoring production. They also might decide to retain risk, depending 
on the expected rewards relative to the probability and frequency of any expected 
losses. Another option is to mitigate risk by reducing either the magnitude or the 
frequency of exposure to a given risk factor. Finally, risk managers could transfer risk to 
a third party using derivatives or structured products. They could also purchase 
insurance to outsource risk to an insurance company. 


One of the challenges in ensuring that risk management will be beneficial to the 
economy is that risk must be sufficiently dispersed among willing and able participants 
in the economy. Unfortunately, a notable failure of risk management occurred during 
the financial crisis of 2007-2009 when it was subsequently discovered that risk was 
too concentrated among too few participants. 


Another challenge of the risk management process is that it has failed to consistently 
assist in preventing market disruptions or preventing financial accounting fraud (due to 
corporate governance failures). For example, the existence of derivative financial 
instruments greatly facilitates the ability to assume high levels of risk and the tendency 
of risk managers to follow each other’s actions (e.g., selling risky assets during a market 
crisis, which disrupts the market by increasing its volatility). 


In addition, the use of derivatives as complex trading strategies assisted in overstating 
the financial position (i.e. net assets on balance sheet) of many entities and 
complicating the level of risk assumed by many entities. Even with the best risk 
management policies in place, using such inaccurate information would not allow the 
policies to be effective. 


Finally, risk management may not be effective on an overall economic basis because it 
only involves risk transferring by one party and risk assumption by another party. It 


does not result in overall risk elimination. In other words, risk management can be 
thought of as a zero-sum game in that some “winning” parties will gain at the expense of 
some “losing” parties. However, if enough parties suffer devastating losses due to an 
excessive assumption of risk, it could lead to a widespread economic crisis. 


Measuring and Managing Risk 


LO 1.b: Evaluate, compare, and apply tools and procedures used to measure and 
manage risk, including quantitative measures, qualitative risk assessment 
techniques, and enterprise risk management. 


Quantitative Risk Measures 

Value at risk (VaR) calculates an estimated loss amount given a certain probability of 
occurrence. For example, a financial institution may have a one-day VaR of $2.5 million 
at the 95% confidence level. That would be interpreted as having a 5% chance that 
there will be a loss greater than $2.5 million on any given day. VaR is a useful measure 
for liquid positions operating under normal market circumstances over a short period 
of time. It is less useful and potentially dangerous when attempting to measure risk in 
non-normal circumstances, in illiquid positions, and over a long period of time. 


To further illustrate the concept of VaR, assume you have gathered 1,000 monthly 
returns for a security, and produced the histogram shown in Figure 1.2. You decide that 
you want to compute the monthly VaR for this security at a confidence level of 95%. At 
a 95% confidence level, the lower tail displays the lowest 5% of the underlying 
distribution’s returns. For this distribution, the value associated with a 95% confidence 
level is a return of -15.5%. If you have $1,000,000 invested in this security, the one- 
month VaR is $155,000 (= -15.5% x $1,000,000). 


Figure 1.2: Histogram of Monthly Returns 


i 
i 
%0 i 
_ I 
3o - 
40 Probability H 
n of Loss - 
30 ‘ 
I 
20 
[i 
i 

i | | 

0 Oo n 


| $ r sic ai? a\e aio gio 2\° 
k 2 > oa SS PAN) oS ww S Ņ A 
% yoo y 9 » n b” Y D y oP 


Frequency 


Monthly Return 


CT PROFESSOR'S NOTE 
ê The VaR calculated using Figure 1.2 is an example of historical VaR. In Book 4, 
you will learn about other approaches for calculating VaR. 


Economic capital is the amount of liquid capital necessary to cover unexpected losses. 
For example, if one-day VaR is $2.5 million and the entity holds $2.5 million in liquid 
reserves, then they have sufficient economic capital (i.e. they are unlikely to go 
bankrupt in a one-day expected tail risk event). 


Qualitative Risk Assessment 


Scenario analysis is a process that considers potential future risk factors and the 
associated alternative outcomes. The typical method is to compare a best-case scenario 
to a worst-case scenario, which shocks variables to their extreme known values. This 
process factors the potential impact of several categories of risk and influences risk 
manager decision making by attempting to put a value on an otherwise qualitative 
concept (i.e., what-if analysis). This exercise is an attempt to understand the assumed 
full magnitude of potential losses even if the probability of the loss is very small. 


Stress testing is a form of scenario analysis that examines a financial outcome based 
on a given “stress” on the entity. This technique adjusts one parameter at a time to 
estimate the impact on the firm. For example, it is plausible for interest rates to adjust 
severely in an economic crisis. Stress testing will estimate the impact of this one 
parameter on the entity. 


There are two types of parameters that could be considered using either scenario 
analysis or stress testing. The first type of parameter is historically sourced. This 
parameter has the benefit of being observable, but the past trend may not continue into 
the future. The second type of parameter is an estimated variable, which is a 
hypothetical forecast based on a risk manager’s assumptions. This approach can 
introduce estimation error and model risk, but it may be a useful exercise to fully 
understand a firm’s sensitivity to qualitative risk factors. 


Enterprise Risk Management 


In practice, the term enterprise risk management (ERM) refers to a general process 
by which risk is managed within an organization. An ERM system is highly integrative 
in that it is deployed at the enterprise level and not siloed at the department level. The 
value in this top-down approach is that risk is not considered independently, but rather 
in relation to its potential impact on multiple divisions of a company. 


One challenge with the ERM approach is a tendency to reduce risk management to a 
single value (e.g., either VaR or economic capital). This attempt is too simplistic ina 
dynamic-risk environment. Risk managers learned from the financial crisis of 2007- 
2009 that risk is multi-dimensional, and it requires consideration from various vantage 
points. Risk also develops across different risk types, as you will learn later in this 
reading. The reality is that proper application of an ERM framework requires both 
statistical analysis and informed judgment on the part of risk managers. 


The ultimate goal of an ERM is to understand company-wide risks and to integrate risk 
planning into strategic business planning. If the risk management process does not link 
information with action, then it is an exercise in futility. ERM is not just about risk 
aggregation at the company level. It considers risk holistically and its appropriate 
influence on strategic planning for an organization. 


Expected and Unexpected Loss 


LO 1.c: Distinguish between expected loss and unexpected loss and provide 
examples of each. 


Expected loss (EL) considers how much an entity expects to lose in the normal course 
of business. These losses can be calculated through statistical analysis with relative 
reliability over short time horizons. The EL of a portfolio can generally be calculated as 
a function of: (1) the probability of a risk occurring; (2) the dollar exposure to the risk 
event; and (3) the expected severity of the loss if the risk event does occur. 


For example, a retail business that provides credit terms on sales of goods to its 
customers (i.e., no need to pay immediately) incurs the risk of nonpayment by some of 
those customers. If the business has been in operation for at least a few years, it could 
use its operating history to reasonably estimate the percentage of annual credit sales 
that will never be collected. The amount of the loss is therefore predictable and is 
treated as a regular cost of doing business (i.e., bad debt expense on the income 
statement). It can be priced into the cost of the goods directly in the case of the retail 
business. In a banking context, EL could be modeled as the product of a borrower’s 
probability of default (PD), the bank’s exposure at default (EAD), and the magnitude of 
the loss given default (LGD). 


EL = EAD x PD x LGD 


Banks will often address ELs by charging a higher spread (and possibly a shorter time 
horizon) for riskier borrowers. Most expected losses can be logically considered as a 
function of several more granular losses. 


CT PROFESSOR'S NOTE 
ê When EL can be modeled with confidence, it can be treated like a predictable 
expense or a variable cost. 


Unexpected loss (UL) considers how much an entity could lose in excess of their 
average (expected) loss scenarios. There is considerable challenge involved with 
predicting unexpected losses because they are, by definition, unexpected. 


For example, consider a commercial loan portfolio that is focused on loans to 
automotive manufacturing companies. During an economic expansion that favors such 
companies (because individuals have more disposable income to spend on items such 
as automobiles), the lender will realize very few, if any, loan defaults. However, during 
an economic recession, there is less disposable income to spend and many more loan 
defaults are likely to occur from borrowers. It is also likely that many of these losses 
will be clustered at the same time. This is an example of correlation risk, when 


unfavorable events happen together. The correlation risk drives potential losses to 
unexpected levels. 


Another example of correlation risk lies with real estate loans secured by real property. 
Borrowers tend to default on loans (i.e., default rate risk) at the same time that the real 
property values fall (i.e., recovery rate risk—the creditor’s collateral is worth less, 
thereby compromising the recovery rate on the funds lent to the borrowers). These two 
risks occurring simultaneously could also bring potential losses to unexpected levels. 


The Relationship Between Risk and Reward 


LO 1.d: Interpret the relationship between risk and reward and explain how 
conflicts of interest can impact risk management. 


As previously mentioned, there is a natural trade-off between risk and reward. In 
general, the greater the risk taken, the greater the potential reward. However, one must 
consider the variability of the potential reward. The portion of the variability that is 
measurable as a probability function could be thought of as risk (EL) whereas the 
portion that is not measurable could be thought of as uncertainty (unexpected loss). 


For example, government bonds have less credit/default risk than corporate bonds. 
Therefore, government bonds will trade with lower yields than corporate bonds (all 
else equal). However, for a given maturity, the full relationship between risk and return 
goes further than merely credit risk (e.g. liquidity risks and taxation impacts may make 
the relationship less clear). Additionally, the risk tolerances (i.e., ability and willingness 
to take on certain risks) of market participants may change over time. When risk 
tolerances are high, the spread between riskless and risky bonds may narrow to an 
abnormally low level, which again disguises the true relationship between risk and 
return. 


LT PROFESSOR'S NOTE 
ê The risk/reward trade-off becomes much more complex to analyze for assets 
that are either thinly traded or not publicly traded. This is especially true for 
illiquid assets. 


Because risk and reward are linked, it is very important for risk managers to properly 
consider relevant risks. As previously mentioned, a bank’s EL could be modeled as the 
product of a borrower’s PD, the bank’s EAD, and the magnitude of the LGD. Risk 
managers could drill down on the PD to discern underlying loss drivers that need to be 
monitored. Some of the drivers could be the borrower’s financial condition (e.g., sales 
growth trends, input cost trends, etc.) or it could be an external factor (e.g., weakening 
global trade or unfavorable tax policy changes). The potential list of loss drivers could 
be exhaustive. The advent of artificial intelligence and machine learning greatly 
enhances a risk manager’s ability to consider and isolate economically important loss 
drivers to monitor. 


In complex systems (e.g, financial markets), extreme unexpected losses (risk) 
sometimes occur. These tail risk events can be tragic for a risk management system. 


This is especially true when the correlation between risk factors increases. The triggers 
for lockstep movement between risk factors could be structural changes such as 
behavioral shifts, industry trends, government interventions, and new innovations. 
Danger arises when the frequency of tail events increases because the pace of structural 
uncertainty accelerates. 


One of the biggest structural concerns is the potential for conflicts of interest. Those in 
the position to be most aware of the presence, probability, and potential impact of 
various risk factors are sometimes the ones who try to profit from its presence. This 
reality could be seen in the actions of rogue traders. It may also be seen from managers 
who conceal knowledge of a risk factor to maximize short-term stock price movements 
to enhance personal compensation through stock-based remuneration structures. 


The best way to combat the potential for conflicts of interest to skew risk recognition 
is the following three-step process: 


1. Risk recognition by frontline employees and division managers. 
2. A robust risk management system with daily oversight. 


3. Periodic independent audits to ensure that steps 1 and 2 are functioning properly. 


=) MODULE QUIZ 1.1 
=A 1, Which of the following statements regarding risk and risk management is correct? 
A. Risk management is more concerned with unexpected losses than expected losses. 

B. There is a relationship between the amount of risk taken and the size of the 
potential loss. 

C. The final step of the risk management process involves developing a risk 
mitigation strategy. 

D. If executed properly, the risk management process may allow for risk elimination 
within an economy. 


2. Which of the following items is not a building block of the risk management process? 
A. Identifying relevant risk. 
B. Measuring risks. 
C. Avoiding all known risks. 
D. Attempting to quantify any expected losses. 


3. Examining the impact of a dramatic increase in interest rates on the value of a bond 
investment portfolio could be performed using which of the following tools? 
I. Stress testing. 
II. Enterprise risk management. 
A. I only. 
B. II only. 
C. Both I and IT. 
D. Neither I nor II. 


4. Which of the following items would be associated with unexpected losses? 
I. Loan defaults are increasing simultaneously while recovery rates are decreasing. 
II. Lending losses are covered by charging a spread between the cost of funds and 
the lending rate. 
A. I only. 
B. II only. 


C. Both I and IT. 
D. Neither I nor IT. 
5. Which of the following statements is incorrect with respect to the relationship 
between risk factors? 
A. The risk/reward trade-off is easier to consider for individual stocks than for 
private equity investments. 
B. Risk management conflicts of interest can be easily mitigated through stock- 
based compensation. 
C. Risk managers should consider granular loss drivers. 
D. Risk management conflicts of interest can be mitigated through periodic internal 
audits. 


MODULE 1.2: TYPES OF RISK 


LO 1.e: Describe and differentiate between the key classes of risks, explain how 
each type of risk can arise, and assess the potential impact of each type of risk 
on an organization. 


All firms face risks. These risks can be subcategorized as market risks, credit risks, 
liquidity risks, operational risks, legal and regulatory risks, business and strategic risks, 
and reputation risks. 


Market Risk 


Market risk refers to the fact that market prices and rates are continually in a state of 
change. The four key subtypes of market risk are interest rate risk, equity price risk, 
foreign exchange risk, and commodity price risk. The key to mitigating these risks is to 
understand the relationship between positions. As these relationships change, risk 
management methods need to change as well. 


= Interest rate risk refers to uncertainty flowing from changes in interest rate levels. 
If market interest rates rise, the value of bonds will decrease. Another form of 
interest rate risk is the potential for change in the shape of (or a parallel shift in) the 
yield curve. Interest rate risk may arise from having positions that are either 
completely or partially unhedged. This occurs when underlying transactions do not 
fully offset. In this instance, the loss could be attributed to basis risk, which means 
that the presumed correlation between the price of a bond and the price of the 
hedging vehicle used to hedge that bond has changed unfavorably. 


= Equity price risk refers to the volatility of stock prices. It can be broken up into two 
parts: (1) general market risk, which is the sensitivity of the price of a stock to 
changes in broad market indices, and (2) specific risk, which is the sensitivity of the 
price of a stock due to company-specific factors (e.g. rising cost of inputs, strategic 
weaknesses, etc.). General market risk cannot be diversified away, while specific risk 
can be mitigated by holding assets with less than perfect correlations. 


= Foreign exchange risk refers to monetary losses that arise from either fully or 
partially unhedged foreign currency positions. Foreign exchange risk results from 
imperfect correlations in currency price movements as well as changes in 


international interest rates. Potentially large losses could reduce an entity’s 
competitive edge relative to its foreign competitors. 


= Commodity price risk refers to the price volatility of commodities (e.g,, precious 
metals, base metals, agricultural products, energy) due to the concentration of 
specific commodities in the hands of relatively few market participants. The resulting 
lack of trading liquidity tends to increase the amount of price volatility compared to 
financial securities. In addition, commodities may face significant price 
discontinuities (i.e., prices suddenly jump from one level to another). 


Credit Risk 


Credit risk refers to a loss suffered by a party whereby the counterparty fails to meet 
its contractual obligations. Credit risk may arise if there is an increasing risk of default 
by the counterparty throughout the duration of the contract. There are four subtypes of 
credit risk: (1) default risk, (2) bankruptcy risk, (3) downgrade risk, and (4) settlement 
risk. 


= Default risk refers to potential nonpayment of interest and/or principal on a loan by 
the borrower. The PD is central to risk management. 


= Bankruptcy risk is the chance that a counterparty will stop operating completely. 
The risk management concern is that the liquidation value of any collateral might be 
insufficient to recover a loss flowing from a default. 


= Downgrade risk considers the decreased creditworthiness of a counterparty. A 
creditor may subsequently charge the downgraded entity a higher lending rate to 
compensate for the increased risk. For a creditor, downgrade risk may eventually lead 
to default risk. 


= Settlement risk could be illustrated using a derivatives transaction between two 
counterparties. At the settlement date, one of them is in a net gain (“winning”) 
position and the other is in a net loss (“losing”) position. The position that is losing 
may simply refuse to pay and fulfill its obligations. This risk is also known as 
counterparty risk (or Herstatt risk‘). 


Consider an example where one investor’s net gain on a futures contract is $500,000 at 
settlement. The counterparty must pay this amount, but they have encountered 
financial difficulty and are only able to pay $400,000. This estimated payment is called 
the recovery value, and the $100,000 that will be lost is known as the loss given 
default (LGD). Expressed in percentages, the recovery rate is 80% and the LGD is 
20%. If the recovery rate was 0%, then the counterparty would be in complete default 
and possibly in a bankruptcy scenario. 


Risk managers use sophisticated modeling to properly consider credit risk. Following is 
a list of some very important considerations relative to this risk identification process: 
= Is the interest rate charged on the instrument commensurate with the risk taken? 

= Isa portfolio of instruments diversified both geographically and by industry? 


= Have correlations between instruments and other known risk factors been properly 
considered? 


= Are any firm-specific or industry-specific financial ratios indicating a cause for 
concern? 


= Isa lender exposed to a large number of small loans or a small number of large loans? 
Concentration risk can be a real concern. 


a What is the PD for the various instruments owned? 


= Are the probabilities of default correlated in any way? 


Liquidity Risk 

Liquidity risk is subdivided into two parts: (1) funding liquidity risk and (2) market 
liquidity risk. If liquidity risk becomes systemic, it could lead to elevated credit risk 
(e.g., a potential default scenario). 


= Funding liquidity risk occurs when an entity is unable to pay down (or refinance) 
its debt, satisfy cash obligations to counterparties, or fund capital withdrawals. This 
risk can be illustrated from the perspective of the banking industry, which has a 
natural mismatch between assets and liabilities (e.g, short-term deposits 
mismatched with longer-term loans). Improper risk management of this fundamental 
mismatch led to bank defaults during the financial crisis of 2007-2009. 


= Market liquidity risk (also known as trading liquidity risk) refers to losses flowing 
from a temporary inability to find a needed counterparty. This risk can cripple an 
entity’s ability to turn assets into cash at any reasonable price. Transactions with an 
element of immediacy might need to be consummated with a significant discount, 
which typically translates into a huge loss. The impact of market liquidity risk could 
include impairments in an entity’s ability to control market risk and to cover any 
funding shortfalls. 


Operational Risk 

Operational risk refers to potential losses flowing from inadequate (or failed) internal 
processes, human error, or an external event.” The details of operational risk could 
relate to factors such as inadequate computer systems (technology risk), insufficient 
internal controls, incompetent management, fraud (e.g., losses due to intentional 
falsification of information), employee mistakes (e.g. losses due to incorrect data entry 
or accidental deletion of a file), natural disasters, cyber security risks, or rogue traders. 


Within a financial institution, the leveraged nature of derivatives transactions makes 
them highly susceptible to operational risk. This is further amplified by the models 
used to price complex assets that may be less liquid than mark-to-market rules require. 
A very robust system of internal controls is required within an entity. Otherwise, there 
is a risk of significant losses due to various operational risks, which can be challenging 
to quantify. 


Legal and Regulatory Risk 

Legal risk is the potential for litigation to create uncertainty for a firm. In the context 
of a two-way financial transaction, an example of legal risk is one party suing the other 
party in an attempt to terminate the transaction. Regulatory risk refers to uncertainty 


surrounding actions by a governmental entity. An example of regulatory risk could be a 
change in tax law or margin requirements that alter the payoff for a given trade. In 
practice, legal and regulatory risks are highly integrated with both operational and 
reputation risk (discussed shortly). 


Business and Strategic Risk 


Business risk refers to variability in inputs that influence either revenues (e.g, 
customer demand trends, product pricing policies, etc.) or cost structures (e.g., the cost 
of production inputs, supplier negotiations, etc.). Diverse business elements such as 
new product innovations, shipping delays, and production cost overruns could also be 
labeled as business risks. 


Strategic risk involves long-term decision making about fundamental business 
strategy. These long-term strategic initiatives may involve large capital investments in 
either equipment or human capital. For example, an entity could spend millions of 
dollars developing a new product that ultimately fails in the marketplace because 
consumers find it unsuitable for their needs. Alternatively, the regulatory landscape 
could change and materially alter the profitability of a project. Another example of 
strategy risk is a bank that changes its lending standards to originate more loans only 
to find that the risk of the loans elevates to a disastrous level during a period of market 
distress. 


Reputation Risk 


Reputation risk is the danger that a firm will suffer a loss in public perception (or 
consumer acceptance) due to either: (1) a loss of confidence in the firm’s financial 
soundness or (2) a perception of a lack of fair dealing with stakeholders. Reputation 
risk is often one of the outcomes of experiencing a loss in another risk category. For 
example, a significant credit risk experienced by a bank could create a reputational 
impact for the firm. Likewise, the exponential growth in technology (and the internet) 
could lead to operational risks such as a cyberattack. Social media can also amplify 
reputation risk as users can spread information quickly that may or may not be 
accurate. The impact of reputation risk on an entity could start with lost profits and 
eventually lead to insolvency as public perception of the entity diminishes together 
with the value of the entity. 


Overall, an entity should clearly define its holistic appetite for assuming risk. The entity 
might decide to be very conservative in assuming credit risk, while behaving with an 
entrepreneurial spirit with respect to business risk. There is also a tremendous 
interconnection between the different types of risk. For example, a company might be 
exposed to currency risk because of a new innovation that requires either international 
sales or internationally-sourced production inputs. 


Risk Factor Interactions 


LO 1.f: Explain how risk factors can interact with each other and describe 
challenges in aggregating risk exposures. 


A significant danger in risk management occurs when independent risk factors are 
correlated. For example, a granular factor that leads to default risk for a loan could 
ultimately spill over into credit risk, operational risk, business risk, and reputation risk. 
This is most dangerous with unexpected losses. Realizing the potential for correlation 
between risks will help a risk manager measure and manage unexpected losses with 
marginally more certainty. For example, a risk manager could consider historical 
correlations between identified risk factors and forecast the nature of these 
relationships to measure the risk planning process. 


Another significant challenge for risk managers is understanding how risk 
aggregation can be applied to measure all risks at the enterprise level. To consider the 
potential for complexity, consider the difference between quantifying the market risk 
associated with an individual stock versus a derivatives transaction. Market risk for a 
stock can be modeled using past volatility and the notional amount at risk. However, 
derivatives can be considerably more complex. Their volatility can be significantly 
higher than that of an individual stock. Sometimes, exposures to multiple derivatives 
contracts can cancel each other out, which means that notional value would not even 
apply, although risk is still involved. Market participants have resorted to using option 
Greeks (e.g., delta, gamma, theta, and vega) to model uncertainty, but these values 
cannot be aggregated with other positions to the enterprise level. 


VaR has emerged as a popular attempt at risk aggregation, but it has some drawbacks. 
First, there are a few different versions of VaR used in practice. Second, VaR uses several 
simplifying assumptions, and risk managers can alter the computed value by adjusting 
the number of days or the confidence level used in the calculation. Third (and perhaps 
the most important challenge), VaR is intended to determine a loss threshold level. It 
measures the largest loss at a specified cutoff point, not the magnitude of tail risk. For 
this reason, some risk managers (and regulators) have turned their attention to 
scenario analysis, stress testing, and expected shortfall, which is a statistical measure 
designed to estimate the magnitude of aggregate tail risk losses. The drawbacks of 
relying on VaR as a single risk metric were clearly discovered during the financial crisis 
of 2007-2009. 


However, VaR is still a very valuable enterprise-level risk metric. One valuable use is to 
consider risk exposures across business units. The related measure of economic capital 
is also extremely useful for risk managers. It enables a conceptually simple method of 
considering risk, which involves calculating a risk-adjusted return on capital 


(RAROC), shown as follows:? 
RAROC = after-tax risk-adjusted expected return / economic capital 


This formula is essentially reward per unit of risk, and the numerator needs to be 
adjusted for expected losses. The practical application of the RAROC formula involves 
comparing the calculated value to the cost of equity. Only reward-to-risk measures that 


exceed the cost of capital should be considered acceptable. Four specific practical 
applications are: 


1. Business comparison. This metric permits comparison of business units even when 
different levels of economic capital exist for each segment. 


2. Investment analysis. This approach could be used to evaluate potential new product 
offerings. For example, a bank could use this technique to decide whether to branch 
out into a new credit product. 


3. Pricing strategy. Firms could use RAROC to determine if their current pricing 
strategy provides sufficient return relative to the estimated risk taken. 


4. Risk management. In the most basic sense, this metric can be used to highlight areas 
where risk is not being properly covered with expected rewards. 


The overall point of risk management is to consider the drivers of risk and whether 
sufficient reward is generated relative to the level of risk assumed. Risks can be 
avoided, retained, mitigated, or transferred. This is the heart of the risk management 
process. 


2) MODULE QUIZ 1.2 
= 1. In considering the major classes of risks, which risk would best describe an entity 
with weak internal controls that could easily be circumvented with a lack of 
segregation of duties? 
A. Business risk. 
B. Legal and regulatory risk. 
C. Operational risk. 
D. Strategic risk. 


2. Local Bank, Inc., (LBI) has loaned funds to a private manufacturing company, named 
We Make It All (WMIA). The current balance of the loan is $1 million, and it is 
secured by a piece of land and the corresponding building owned by WMIA. Due to an 
economic downturn, WMIA suffered a loss for the first time in its 10-year operating 
history and is currently experiencing some cash flow difficulties. In addition, the 
land and building that is held as collateral has recently been appraised at only 
$800,000. Based only on the information provided, which of the following risks faced 
by LBI have increased? 

A. Bankruptcy risk and default risk. 

B. Bankruptcy risk and settlement risk. 

C. Default risk and downgrade risk. 

D. Default risk, downgrade risk, and settlement risk. 


3. Which of the following statements is correct relative to risk aggregation? 

A. Enterprise-level risk should be reduced to a single number (e.g., value at risk) for 
ease. 

B. Expected shortfall provides a more complete understanding of the potential 
magnitude of losses. 

C. Risk aggregation is most straightforward for derivatives contracts. 

D. Measuring dispersion using the option Greeks can streamline the risk aggregation 
process. 


KEY CONCEPTS 


LO 1.a 

Risk is uncertainty surrounding outcomes. A risk management process is a series of 
actions designed to reduce or eliminate the potential to incur loss. Risk taking refers to 
the active acceptance of incremental risk in the pursuit of incremental gains. 


The risk management process is a formal series of actions designed to determine if the 
perceived reward justifies the expected risks. 


There are several core building blocks in the risk management process, which are listed 
as follows: 


1. Identify risks. 

2. Measure and manage risks. 

3. Distinguish between expected and unexpected risks. 
4. Address the relationship between risks. 

5. Develop a risk mitigation strategy. 


6. Monitor the risk mitigation strategy and adjust as needed. 


LO 15 

Value at risk (VaR) and economic capital are two ways that risk managers can attempt 
to quantify risk. Some of the qualitative methods include scenario analysis and stress 
testing. Risk managers need to be careful to not think that enterprise-level risk can be 
reduced to a single number. Risk is a complex concept that requires a dynamic process 
to identify, measure, mitigate, and monitor relevant risks. 


LO 1.c 

Expected losses are the average loss expected over a given time horizon. They are a 
function of (1) the probability of a risk occurring; (2) the dollar exposure to the risk 
event; and (3) the expected severity of the loss if the risk event does occur. Unexpected 
losses are losses that exceed the average result expected. When unexpected losses are 
clustered (i.e. correlation risk) they can become a little easier to model. 


LO 1.d 

There is an observed trade-off between risk and reward; opportunities with lower risk 
also have lower risk potential. Risk managers need to consider not only the potential 
impact of a given risk but also the granular loss drivers that underpin a given risk. 
Sometimes corporate insider goals conflict with those of shareholders. This reality 
could drive risk taking that promotes an ulterior benefit that may later cause a big 
problem when an extreme unexpected loss (i.e. tail risk) materializes. Multiple layers 
of supervision along with periodic and independent internal audits can help to offset 
these conflicts of interest. 


LO 1.e 

The general term “risk” can be subcategorized as market risks, credit risks, liquidity 
risks, operational risks, legal and regulatory risks, business and strategic risks, and 
reputation risks. 


= Market risk refer to potential losses resulting from changes in financial market levels 
or volatility. 


= Credit risk is essentially the risk of default on a loan. 


= Liquidity risk relates to not having access to enough money to meet business needs. 
This could also flow from an inability to quickly exchange a financial asset for a 
reasonable amount of cash. 


= Operational risk is a very broad category that involves potential losses flowing from 
inadequate (or failed) internal processes, human error, or an external event. 


= Legal and regulatory risks come from either the threat of litigation or the threat of 
unfavorable government actions. 


= Business risk refers to variability in either revenue or input cost that influence the 
viability of the business. 


= Strategic risk involves uncertainty surrounding long-term business strategy. 


= Reputation risk is a loss of sales due to a decline in public perception about the 
company’s products or general level of fairness. 


LO 1.f 

Some risks are correlated, which can lead to a domino effect where one risk leads 
directly to another risk. This can amplify risk exposures. Risk aggregation is the 
process of considering risk at the enterprise level. Higher complexity of the underlying 
risks will lead to less reliability of risk assumptions. 


VaR and the associated economic capital measurement are both useful metrics that 
provide risk managers information. A risk-adjusted return on capital (RAROC) can be 
calculated for comparison purposes, but VaR should not be considered as a stand-alone 
risk metric because it makes certain assumptions, can be adjusted by input parameters, 
and there are different types of VaR measurements. However, VaR, economic capital, 
and RAROC can be useful for helping risk managers better understand the aggregate 
risk exposure of a firm. 


ANSWER KEY FOR MODULE QUIZZES 


Module Quiz 1.1 


1.A Risk management is more concerned with the variability of losses, especially ones 
that could rise to unexpectedly high levels or ones that suddenly occur that were 
not anticipated (i.e., unexpected losses). Risk is not necessarily related to the size 
of the potential loss. For example, many potential losses are large but are quite 
predictable and can be accounted for using risk management techniques. The final 
step of the risk management process involves assessing performance and 
amending the risk mitigation strategy as needed. The risk management process 
only involves risk transferring by one party and risk assumption by another 
counterparty. It is a zero-sum game, so it does not result in overall risk 
elimination. (LO 1.a) 


2.C Risk managers should identify relevant risks, measure them, determine how to 
manage the risks, distinguish between expected and unexpected risks, consider 
the relationship between risks, develop a risk mitigation strategy, and monitor 
the process. They do not need to avoid all risks, which is impossible, because 
carrying manageable risks is one path to potential reward. (LO 1.a) 


3.C Examining the impact of a dramatic increase in interest rates is an example of 
stress testing. Enterprise risk management makes use of measures such as stress 
testing. (LO 1.b) 


4.A Loan defaults are increasing simultaneously while recovery rates are decreasing is 
an example of correlation risk. Correlation risk could drive up the potential 
losses to unexpected levels. In contrast, if lending losses are covered with a 
spread, given that there is sufficient information to compute such a spread, then 
the losses would likely be considered expected losses. (LO 1.c) 


5.B The risk/reward trade-off is easier to navigate for assets that are less complex. 
Individual stocks are considerably less complex than the thinly traded securities 
or illiquid assets that private equity investors embrace. Risk management 
conflicts are best mitigated through supervision (e.g., periodic independent 
internal audits). These conflicts generally are increased by the inclusion of stock- 
based compensation because risk managers might ignore certain risks to pursue 
the potential of personal financial gain in the short-term. Risk managers should 
always consider granular loss drivers to better understand what could impact the 
risk/reward trade-off. (LO 1.d) 


Module Quiz 1.2 


1.C Weak internal controls and lack of segregation of duties would represent a 
nonfinancial risk and be best described as an operational risk. Business risk 
focuses on the income statement (i.e., revenues too low and expenses too high). 
Legal and regulatory risk focuses on the risk of an entity being sued or the risk of 
unfavorable changes in the rules and laws that the entity must follow. Strategic 
risk focuses on significant new business investments or significant changes in an 
entity’s business strategy. (LO 1.e) 


2.A The fact that the loan is secured by land and the building is now worth less than 
the amount of the loan outstanding subjects LBI to increased bankruptcy risk in 
the sense that the liquidation value of the collateral is insufficient to recover the 
loss if the loan defaults. The financial loss and the cash flow difficulties suggest 
that there is increased default risk for LBI as well. Downgrade risk does not apply 
here because WMIA’s loan is not publicly traded and is unlikely to be rated by a 
recognized rating agency. Settlement risk does not apply here either, because 
there is no exchange of cash flows at the end of the transaction that would be 
required to incur such risk. In this case, the loan is settled when WMIA fully 
repays the principal balance owed. (LO 1.e) 


3.B By itself, VaR has flaws as a single risk score for a firm. It uses various 
assumptions and it can be managed by adjusting the confidence level. While VaR 


tells analysts the loss threshold, expected shortfall communicates the magnitude 
of losses beyond the VaR threshold. The use of derivatives can make risk 
aggregation more challenging because option Greeks (e.g., delta, gamma, theta, and 
vega) cannot be aggregated and some derivatives exposures cancel each other out, 
which means that notional value is not a good measure of the true risk exposure. 
(LO 1.f) 


1 The term Herstatt risk refers to the counterparty risk associated with the failure of Herstatt Bank in Germany. The 
bank was closed by regulators in 1974 in the wake of a foreign exchange issue, and the bank’s closure led to 
settlement risk with every counterparty of the bank. 


= https://www.bis.org/publ/bcbs195.pdf, page 3, footnote 5. 


3 Crouhy, M., Galai, D., and Mark, R. The Essentials of Risk Management, 2nd Edition (Chapter 17). McGraw Hill, 
2014. 


The following is a review of the Foundations of Risk Management principles designed to address the learning 
objectives set forth by GARP®. Cross-reference to GARP FRM Part I Foundations of Risk Management, Chapter 2. 


READING 2 


HOW DO FIRMS MANAGE FINANCIAL 
RISK? 


Study Session 1 


EXAM FOCUS 


This reading builds on the material from the previous reading and provides coverage of 
additional fundamental risk management concepts. As a firm considers its risk 
management process, they need to clearly define the internal goal of this process. 
Additionally, they need to understand how much risk they wish to retain, avoid, 
mitigate, or transfer. Risk mapping helps a firm understand and prioritize which risks 
are most important internally. Only after risk mapping has been conducted can the 
desired mitigation tools be selected, deployed, and monitored. Risk management is an 
iterative process in that once risks are located and desired, mitigation methods are 
discussed, and risk managers need to reassess if the risk-generating business is the right 
strategic placement for the firm. For the exam, pay close attention to the material on 
managing risk exposures, hedging risk exposures, foreign currency risk, and the 
potential impact of risk management tools. 


MODULE 2.1: CORPORATE RISK MANAGEMENT 


Strategies for Risk Management 


LO 2.a: Compare different strategies a firm can use to manage its risk exposures 
and explain situations in which a firm would want to use each strategy. 


At a high level, a firm can pick from four different risk management strategies. Senior 
management and the board of directors are ultimately responsible for strategy 
selection, but risk managers can help inform the decision-making process. The risk 
management strategies are as follows: 

1. Accept the risk. 

2. Avoid the risk. 


3. Mitigate the risk. 


4. Transfer the risk. 


A firm could decide to accept (i.e., retain) known risks. One reason to retain a risk is 
that it is perceived to have a small impact on the firm and managing the risk might 
prove more costly than it is worth. Another reason to retain risk is that the 
investors/owners desire exposure to this risk factor. For example, owners of a gold 
mine may want direct exposure to the market price movements of gold. A third reason 
to potentially retain a risk is because the cost can be priced into the firm’s products 
and passed along to customers. In this way, the firm is not negatively impacted by 
retaining the risk. 


Sometimes the best strategy is to avoid risk all together. If a business risk is not a 
natural part of normal business operation, then it should be considered as a possible 
risk to avoid. This might mean completely stopping activity in a business unit if its risk 
is unnecessary for the overall function of the business. For example, some businesses 
retain operating units with very unconnected purposes. Conglomerates, like General 
Electric, are great examples of this notion. During the financial crisis of 2007-2009, 
their financial services business unit caused tremendous pain for the organization, 
which is fundamentally an industrial firm. Management realized that financial risks 
(and a few other business units) needed to be sold to avoid risks to their core business 
units. 


Businesses that choose to retain risks may seek ways to strategically mitigate known 
risks. Mitigation can take many different forms depending on the risk factor involved. A 
bank may mitigate credit risk by offering loans at higher interest rates, with shorter 
maturities, and/or with enhanced collateral requirements. Manufacturers might 
mitigate rising labor costs by investing in automation, and transportation companies 
might mitigate rising fuel costs by upgrading planes, trucks, and/or other vehicles to 
more fuel-efficient versions. 


Risk can also be transferred to a third party. This option can be costly because it 
usually involves either purchasing insurance coverage or investing in derivatives. 
Transferring risk also introduces counterparty risk because the firm is relying on the 
third party to make good on the insurance provided if a risk event arises. 


In a rational process, the ultimate decision should be made after a thorough cost- 
benefit analysis. For example, a firm might conduct a worst-case scenario analysis and 
calculate their risk of a cyber threat to cost $75 million. If this cost is related to their 
core business, then they cannot avoid the risk, so they must decide how to adequately 
retain it. The next step is to assess the cost of insurance relative to the costs of 
mitigation through purchasing new equipment. The method with the best cost-benefit 
relationship should be strongly considered by senior management. In this example, the 
solution may be a mix of mitigation and risk transference. 


Risk Appetite Relative to Risk Decision-Making 


LO 2.b: Explain the relationship between risk appetite and a firm’s risk 
management decisions. 


With an awareness of the high-level strategies available, risk managers can proceed 
through a five-step risk management process. This section will focus on the first two 
items, while the others will be discussed in subsequent sections. The risk management 
process is as follows: 


1. Identify risk appetite. 

2. Map known risks. 

3. Operationalize the risk appetite. 

4. Implement a plan. 

5. Monitor and adjust the plan as needed. 


Risk appetite refers to the level (and types) of risk that a firm is willing to retain. 
There are two very important subcomponents: risk willingness and risk ability. Risk 
willingness relates to a firm’s desire to accept risk in pursuit of its business goals, while 
risk ability can put a cap on risk willingness for various reasons. The most common 
reasons for reduced risk ability are internal risk controls (to keep risk in a desired 
range) and regulatory constraints. For example, banks are not permitted to have a 
leverage ratio (percentage of Tier 1 capital to bank assets) below 3%. 


LT PROFESSOR'S NOTE 
“ It is important to distinguish between a company’s risk appetite and 
industry-level risk appetites as reported by popular media outlets. The latter 
is a general measure of sentiment, while the former is a more static internal 
control established by the senior leadership of a given company. 


Actual risk levels should be set below the maximum capacity of a company. There is 
always the potential for error in the risk estimation process. If a firm has total risk 
capacity of $200 million and senior management has set a risk appetite at a lesser 
amount (e.g., $170 million), then managers should leave a margin for error and accept 
some risk level that is marginally below that amount (e.g., perhaps a cap of $150 
million of exposure in this example). Figure 2.1 illustrates this concept. 


Figure 2.1: Illustration of Accepted Risk Relative to Risk Capacity 


-" — 


y Total Risk Bran 
(e.g., $200 million) 


Internal Risk Appetite 
(e.g., $170 million) 


Actual Risk Accepted 
teg., $150 million) 


Role of the Board of Directors 


Senior management and the board of directors need to clearly define the firm’s risk 
appetite and communicate the policy to stakeholders in a quantitative and/or 
qualitative manner. There are several possibilities, including 


= explicitly stating (qualitatively) which risks the firm wants to retain (i.e., leave risks 
unhedged) and, which risks to either avoid, mitigate, or transfer (i.e., either avoid or 
hedge the risk); 


= using a quantitative metric such as value at risk (VaR) to convey the maximum loss 
the firm will tolerate for a given confidence level for a given period of time; and 


= using stress testing whereby management considers possible but very severely 
negative scenarios to determine the level of losses. The results of stress testing can be 
used to inform the decision to retain, avoid, mitigate, or transfer known risks. 


A problematic issue for the board of directors in determining the firm’s risk appetite 
centers on the potential conflict between the two major stakeholders—debtholders 
and shareholders. Debtholders would likely be more concerned with minimizing all 
risks because their upside potential is generally limited to the rate of interest charged. 
In contrast, shareholders may be willing for the firm to accept a large but unlikely risk 
to increase equity returns. 


The board must ensure that its goals are stated in a clear and actionable manner. This 
communication usually takes two forms. The first is a broad statement of risk appetite 
that can be used in external communications. The second is a very detailed statement 
that can be used internally so that risk managers and line managers understand the 
enterprise-level expectations. The detailed statement will be used to guide business 
decision-making, inform business planning cycles, and identify trouble spots where 
mitigation needs to be highlighted. 


PROFESSOR'S NOTE 

“In their 2016 Annual Report, HSBC listed 13 broad risk categories of interest 
including earnings, credit risk, operational risk, market (traded) risk, 
regulatory risk, and financial crimes risk. 


There are several complexities that the board may need to consider, depending on the 
unique circumstances of each firm: 


1. Unity of risk appetite. Do the different risk types (i.e., market risk, credit risk, 
liquidity risk, operational risk, legal and regulatory risk, business and strategic risk, 
and reputation risk) have different risk appetites? 


2. Entrepreneurial opportunities. Is there a type of risk that could provide a 
competitive edge if more risk is assumed than in other categories? 


3. Layers of correlated risks. Does an operating unit expose the enterprise to more than 
one type of risk in which the risks might be highly correlated (e.g., operations of a 
foreign subsidiary could have operational and foreign currency risk that move in 
lockstep)? The company may need to pick which risks to hedge and which to accept. 


4. Time horizon. Does the board prefer to focus on hedging short-term or long-term 
risks because they may be mutually exclusive? Often, companies may default to 
smoothing operations over time to support their stock price. Additionally, paying to 
hedge future-oriented risks could create short-term profitability issues due to the 
cash outlays involved. 


5. Possibility for risk limit tolerance bands. Are there adequately communicated 
tolerance bands within which managers can operate? This will provide managers 
with some opportunistic flexibility while also clearly communicating expectations. 


6. Reputational impact. What does the firm’s risk appetite communicate to its 
stakeholders? 


7. Risk measurement. How will risk be measured at the enterprise level? In Reading 1, 
it was established that it is difficult to reduce risk management to a single value at 
the firm-level. VaR, notional limits, and stress testing all have value, but a firm will 
need to logically deduce a metric that makes sense given their unique business 
model. 


Risk Mapping 

After a firm establishes its risk appetite, it should assemble an inventory of all known 
risks. This process is called risk mapping and it is the next logical step in the risk 
management process. This robust approach systematically considers any risk with a 
known (or potential) cash impact on the firm. Every type of risk (i.e., market risk, credit 
risk, liquidity risk, operational risk, legal and regulatory risk, business and strategic 
risk, and reputation risk) is considered. Risk managers should incorporate any known 
interactions between risk factors in terms of correlation risk or the possibility that one 
risk might cancel out the cash impact of another risk (i.e. there might be a risk netting 
that occurs). 


Consider an example of a firm that has a known commodity risk exposure in its 
manufacturing process. Perhaps they are exposed to the price of copper. Futures 


contracts are readily available for copper, but more detail is required. What is the 
magnitude of the exposure? Does the firm need 1 million pounds of copper or do they 
need 10 million pounds? What is the timing of the need? Does the firm need all of the 
copper at one specific date or do they need 10% of the total amount at 10 different 
dates? Where do they need the copper? Does the firm need all of the copper in one 
geographical location or do they need it in five different regions/countries at different 
production facilities? The depth of these questions borders on supply chain queries, but 
risk managers need very granular information such as the magnitude of a need, the 
timing of a need, and the location of a need to properly create a risk map at the 
enterprise level. 


Consider another example of a company with foreign sales. They sell products in 12 
different countries (representing eight different currencies due to the euro being shared 
between a few customers). This company has foreign currency risk and possibly others 
as well. They need to figure out if they want to consider only current sales, current 
sales plus estimated sales that have a high probability of occurring, or some other 
variant. This consideration is in addition to the need to know the size, timing, and exact 
currency of the exposure. There is some netting potential with foreign currency risk 
because the firm may need to retain some of the foreign currency for operational needs. 
All of these details are needed in the risk mapping process. 


The robustness of the risk mapping process will directly correlate with the level of 
granularity of the inputs. It has been illustrated that businesses need to consider the 
magnitude of the exposures, the timing of the exposures, the location of the exposures, 
the calculation methodology (i.e. current or projected values), and the potential for 
risk netting. At a minimum, this granular process should be conducted for the top-10 
risk exposures for a firm, but it is best to do this exercise for all known risks if possible. 
The ultimate goal is to understand the risk landscape for a firm, which will enable 
senior managers to determine which risks to retain, avoid, mitigate, or transfer. 


Hedging Risk Exposures 


LO 2.c: Evaluate some advantages and disadvantages of hedging risk exposures 
and explain challenges that can arise when implementing a hedging strategy. 


There are many risks that can be hedged but not all should be hedged. Some investors 
would prefer that risks remain unhedged because they are looking for the specific risk 
exposure provided by a given company (e.g, commodity or currency exposure). The 
primary goals of hedging risks are to increase financial stability and reduce the risk of 
financial distress (e.g., bankruptcy or reputational risks). There are several practical 
advantages of hedging to consider, as well as some theoretical and practical 
disadvantages. 


Hedging Advantages (In Practice) 

One of the key reasons for a firm to hedge its risk exposures is the possibility of 
lowering its cost of capital (either debt or equity), which could lead to increased 
economic growth. A firm may also be able to increase its debt capacity by reducing the 


volatility of its earnings/cash flows. This would potentially provide access to lucrative 
investment opportunities. Additionally, borrowing arrangements for firms with less 
volatile earnings/cash flows usually contain fewer conditions and restrictions imposed 
by the lenders. 


There is also a potential cash flow advantage. The firm may engage in hedging activity 
that extends beyond risk transfer to involve cash flow enhancement. For example, a 
company may begin with an effort to hedge commodity prices and end up with a large 
profit position in futures contracts. Another possible cash flow impact could occur if 
the hedging activities smooth out revenues/costs, such that tax liabilities decrease. This 
occurrence would have a direct cash flow impact by paying less money to taxing 
authorities. 


There is a signaling element of hedging. Stability in a firm’s operations signals strength 
to its stakeholders. This reputational message could impact lenders, customers, 
suppliers, and employees. This stability is often directly reflected in the firm’s stock 
price. The other signaling aspect of hedging is that it communicates the risk appetite 
established by the firm’s board of directors. 


Management may see hedging as having two other distinct benefits. First, it makes 
business planning easier because the risks are controlled. Second, it enables managers 
to potentially lock-in strong margins, which in turn may affect both their prestige and 
compensation. Hedging can be used as a crutch to meet short-term performance goals; 
however, it also enables the advantage of locking in solid performance when it 
organically exists. 


Hedging with derivatives instruments such as swaps (and options) may be cheaper than 
purchasing an insurance policy. One must consider whether the total cost of the 
insurance over the years exceeds the estimated losses. 


Hedging Disadvantages (In Theory) 

In 1958, Franco Modigliani and Merton Miller argued that under the assumption of 
perfectly competitive capital markets with no transaction costs or taxes, both the firm 
and the individual investor are able to perform the same financial transactions at the 
same cost. In other words, the value of the firm will not change despite any attempt to 
hedge risk exposures. Unfortunately, the assumption of no transaction costs or taxes is 
highly unrealistic in the real world, which makes it a weak argument not to hedge risk. 


In 1964, William Sharpe developed the capital asset pricing model (CAPM), which 
argues that under perfect capital markets, firms should only be concerned with 
systematic risk (or beta risk; risk that is common to all market participants). Firms 
should not be concerned with unsystematic risk (or idiosyncratic risk) that pertains 
specifically to the firm, because such risk could be reduced through diversification ina 
large investment portfolio in a costless manner. Unfortunately, the perfect capital 
markets assumption is not realistic in practice, and diversification activities will result 
in transaction costs. 


There is the belief by many market participants that hedging is a zero-sum game that 
has no long-term increase on a firm’s earnings or cash flows (because earnings/cash 


flows are simply moved between periods). That argument assumes perfect capital 
markets and that derivatives pricing fully reflects all of its risk factors. Unfortunately, 
in practice, derivatives pricing is extremely complex and not as accurate as equity and 
bond pricing. Therefore, derivatives pricing is not always likely to reflect all of its risk 
factors; therefore, hedging with derivatives may not always be a zero-sum game of 
transferring risk between periods or between participants. 


A noteworthy point is that none of the arguments just listed consider the existence of 
the significant costs of financial distress and bankruptcy, a point that runs contrary to 
the assumption of perfect capital markets. 


Hedging Disadvantages (In Practice) 

Hedging activities may introduce disadvantages in the form of unplanned costs. One 
potential hidden cost is that hedging may cause management to lose focus on the core 
business activities of the firm. Misplaced focus could result in lost profit opportunities. 
Another potential cost involves compliance expenses (e.g. disclosure, auditing, and 
monitoring costs). 


Another disadvantage is the inherent complexity involved with derivatives contracts. 
Leverage built into many derivatives contracts can add complexity to analyzing the 
assumed risks. The use of derivatives could shift the company into unintended risk 
exposures. For example, a firm might hedge interest rate risks through a swap contract 
that may introduce unplanned downside risk. Relatedly, hedging may adjust payment 
structures by exchanging short-term payments for a balloon payment that shifts (and 
potentially amplifies) risk exposures. Also, the use of derivatives may reveal 
operational information that a firm may otherwise prefer to Keep private. Such costs 
could reduce the firm’s incentive to hedge its risks. 


The complexity of derivatives pricing means the pricing may not always be as accurate 
as possible, so it will not always reflect all of the relevant risk factors. As a result, in 
practice, hedging with derivatives may not be a zero-sum game of transferring risk 
between periods or between participants. 


Challenges Involved With Hedging Strategies 


One potential challenge of hedging is that the firm might misunderstand its risk 
exposures during the risk mapping process. Selecting the wrong risks, missing relevant 
risks, or misestimating risks could result in notional values on derivatives that are 
either too high or too small. They could also mean that risks (e.g., a specific currency 
risk) remains unhedged during a period when it could create a substantial risk event. 


Another challenge is that market trends change. Commodity prices, foreign exchange 
rates, and interest rates (among other risk variables) are very dynamic. When these 
variables change, risk exposures also change, and the risk management process needs to 
be as dynamic as the risk variables themselves. The challenge is that the pace of change 
may be too burdensome for some firms to actively manage. Attempting to hedge using a 
flawed hedging strategy may result in losses to the firm that are greater than the actual 
risks. 


There is also the potential for problems to be amplified by poor communication. The 
concern relates to strategy that has not been effectively communicated and to potential 
consequences that are not adequately disseminated to decision makers. The implosion 
of MG Refining and Marketing (MGRM) in 1993 is a classic example of poor 
communication. They were the American subsidiary of Metallgesellschaft AG, and they 
had agreements with customer to deliver 150 million barrels of gasoline and heating oil 
spanning over 10 years. Management chose to hedge their risk using rolling short-dated 
futures and over-the-counter (OTC) swaps. Changes in the oil market generated 
significant margin calls, which caused MGRM’s parent company to close all hedging 
positions and lock-in large losses. Subsequently, the oil markets reversed and moved 
against MGRM’s position and created a second wave of losses on their now unhedged 
exposures. These substantial losses may have been prevented had management more 
effectively communicated their strategy and the parent company bought into the 
notion. 


One challenge, that is somewhat easily fixable, is that hedging often requires very 
specific skills, knowledge, research, and time. The company may not have the necessary 
human capital internally. Fortunately, this challenge can potentially be remediated by 
outsourcing the hedging duties to a trusted third party risk manager. 


One way to combat this series of challenges is to build a strong internal risk culture in 
which employees are aware of company goals and working toward accomplishing them. 
This culture does not develop by accident. A few suggestions to create such a culture 
are the following: 


1. Regularly communicate risk goals and potential warning signs when risk limits are 
about to be breached. 


2. Conduct training to ensure that key staff have a unified understanding of risk 
management goals. 


3. Key staff should understand the potential consequences if risk limits are breached. 


4. The board of directors should be able to articulate the firm’s top-10 risks. 


2) MODULE QUIZ 2.1 


* 4. Bank Y has decided to use currency futures and forward to offset its entire 
estimated foreign sales exposure. Which high-level risk mitigation strategy does this 
description represent? 

A. Retain risk. 
B. Avoid risk. 
C. Mitigate risk. 
D. Transfer risk. 


2. The involvement of the board of directors is important within the context of a firm's 
decision to hedge specific risk factors. Which of the following statements regarding 
the setting of risk appetite is correct? 

I. Risk appetite may be conveyed strictly in a qualitative manner. 
II. Debtholders and shareholders are both likely to desire minimizing the firm's risk 
appetite. 


A. I only. 
B. II only. 


C. Both I and IT. 
D. Neither I nor ITI. 


3. Melody Li is a junior risk analyst who recently prepared a report on the advantages 
and disadvantages of hedging risk exposures. An excerpt from her report contains 
four statements. Which of Li's statements is correct? 

A. “Purchasing an insurance policy is an example of hedging." 

B. “In practice, hedging with derivatives may not be a zero-sum game." 

C. “The existence of significant costs of financial distress and bankruptcy is a 
natural consideration by perfect capital markets.” 

D. “Hedging with derivatives is advantageous in the sense that there is often the 
ability to avoid numerous disclosure requirements compared with other financial 
instruments." 


MODULE 2.2: RISK MANAGEMENT METHODS AND 
INSTRUMENTS 


Hedging Operational and Financial Risks 


LO 2.d: Apply appropriate methods to hedge operational and financial risks, 
including pricing, foreign currency, and interest rate risk. 


Hedging operational risk covers a firm’s activities in production and sales (i.e., expenses 
and revenue). These operational risks can be considered as income statement risks. 
However, financial risk relates to a firm’s balance sheet (i.e., assets and liabilities). By 
making the realistic assumption that there are some imperfections in the financial 
markets, a firm could benefit from hedging financial risk. Hedging activities should 
cover both the firm’s assets and liabilities to fully account for the risks. 


Pricing Risk 

The cost of inputs may have a significant impact on the firm’s ability to conduct its 
business in a competitive manner. Therefore, it makes sense to hedge such pricing risk 
by purchasing a forward or futures contract to buy a specific quantity of that input at a 
fixed cost, which can be determined in advance. The same advanced planning can 
benefit a firm’s domestic or foreign sales, as will be discussed next. 


Foreign Currency Risk 

The goal of hedging foreign currency risk is to control exposure to exchange rate 
fluctuations that impact both future cash flows (revenue) and the fair value of assets 
and liabilities. 


Revenue hedging can be used when a firm has sales to customers in foreign countries 
(with payment in the foreign currency). The concern is that losses will result when 
foreign sales are repatriated into the firm’s domestic (home) currency. The firm could 
hedge some of its expected foreign currency receipts. They should factor both the cost 
of hedging as well as revenue and exchange rate volatilities and correlations. 
Instruments that could be used include currency put options (to ensure a known 
absolute minimum return should the exchange rate fall beyond the strike rate) and 


forward contracts (to ensure a known return based on an exchange rate determined in 
advance and acceptable to the firm). 


In hedging the firm’s balance sheet exposures, the focus is on the impact of foreign 
exchange rate fluctuations on the net monetary assets of its foreign investments. 
Forward contracts are often used in this regard because they allow for the payment 
(loss) or receipt (gain) by the firm of a fixed amount at a fixed exchange rate that would 
offset any impact of rate changes on the net monetary assets (gain or loss; opposite of 
the forward contract). Foreign currency debt (liability) could also serve as a natural 
offset against a decrease in the value of a firm’s foreign investment (asset). Note that in 
some instances hedging is cost prohibitive, so some foreign currency positions may be 
left deliberately unhedged. 


Interest Rate Risk 


The goal of hedging interest rate risk is to control the firm’s net exposure (asset or 
liability) to unfavorable interest rate fluctuations. From both an investing and a 
borrowing perspective, interest rate swaps (or swaptions) may be used to protect a 
firm against losses. Also, it may help a firm to minimize its borrowing costs. Identical 
to the previous point about high hedging costs, some interest rate positions may be left 
deliberately unhedged. 


Static and Dynamic Hedging Strategies 

A static hedging strategy is a simple process in which the risky investment position is 
initially determined, and an appropriate hedging vehicle is used to match that position 
as Closely as possible (minimize basis risk). In contrast, a dynamic hedging strategy is 
a more complex process that recognizes that the attributes of the underlying risky 
position may change with time. Assuming it is desired to maintain the initial risky 
position, there will be additional transaction costs required to do so. Significantly more 
time and monitoring efforts are required with a dynamic hedging strategy. 


Additional hedging considerations include the following: 


= The firm must consider relevant time horizons for hedging and ensure that 
performance evaluations are matched with the time horizons. 


= The firm needs to assess the (often) complex financial accounting implications of 
hedging with derivatives. For example, if the hedge is not an exact match or offset to 
the underlying position, then there will be a gain/loss to report on the income 
statement. 


= The taxation of derivatives is a key issue because of its impact on the firm’s cash 
flows as well as the differing laws between countries. Significant effort and cost 
(which increase hedging cost) may be required to decipher the complex tax rules 
surrounding derivatives. 


The Impact of Risk Management Tools 


LO 2.e: Assess the impact of risk management tools and instruments, including 
risk limits and derivatives. 


A firm needs to decide if its hedging strategy is a one-off event or if it is part of broader 
risk management need. This decision is sometimes referred to as rightsizing a risk 
management program. The financial markets are very dynamic, and a broadly-applied 
risk management strategy requires investment in complex systems and hiring 
experienced traders. There are several risk limits that need to be understood and 
potentially controlled depending on the results of the risk mapping process. Figure 2.2 
lists the various risk limits along with the purpose of each limit and potential 
weaknesses of focusing on that risk limit. 


Figure 2.2: Risk Limits 


Limit Purpose Potential Weaknesses 
Stop Lass Sets a loss threshold which Does not address the potential 
Limits limits losses from escalating for future losses; only focuses on 
beyond a stop limit price. prevention of realizing a current 
loss. 
Notional Sets notional exposure The notional amount may not be 
Limits parameters. strongly related to the actual risk 
assumed. 
Risk Specific Targets a very specific risk Difficult to aggregate at the 
Limits (e.g, liquidity risk or currency enterprise level and may require 
risk). hiring someone with very specific 
skills. 
Maturity/Gap Minimizes the amount of While this limit does smooth 
Limits transactions that mature in out operational risks relative 
any given period. to maturity events, it does not 


address price risk. 
Concentration Imposes tolerance levels for Does not directly address the 


Limits concentration exposures potential for correlation risk. 
(e.g, counterparty Outcomes may be correlated even 
concentration or product type if they are not concentrated. 
concentration). 

Greek Limits Refers to option-specific Prone to model risk and 
limits relative to delta, estimation errors. 


gamma, theta, or vega. 
Value at Risk Attempt at an aggregated risk Does not provide a measure of 


(VaR) threshold. magnitude beyond the threshold. 
Subject to model risk, and input 
variables can be adjusted to yield 
desired results. 

Stress Testing Considerimplications of risk Require varying levels of 

or Scenario at specific stress points and sophistication and intimate 

Analysis combinations of multiple understanding of internal 

stress points. The idea is exposures. Difficult to know if all 
to test realistic worst-case risk exposures have been covered 


scenarios. in this process. 


As a firm considers which risk management tools to utilize, it needs to adequately 
understand the goal of its risk management program. Many firms treat risk 
management as a cost center, in which the goal is to minimize negative effects on the 
firm. They need to specify if the physical costs of deploying risk management tools will 
be allocated to the division level or if they will be recorded at the enterprise level. It is 
also possible that a firm treats its risk management efforts as a potential profit center, 
in which the goal is to use various tools to add value to shareholders through a direct 
net income contribution. 


Available risk management tools, known as derivatives contracts, are listed below. 
Some of these tools are exchange-traded derivatives and some are direct transactions 
between two counterparties on the over-the-counter (OTC) markets. 


1. Forward contracts. This is an OTC product that involves a transaction directly 
between two counterparties. The terms of the contract can be completely 
customized. Settlement may either be in cash or a physical item (e.g., barrels of oil). 


2. Futures contracts. This is an exchange-traded product that is standardized in its 
terms and conditions (i.e., no customization as with a forward contract). They are 
similar to a forward contract except that a futures contract uses a financial 
intermediary (middle man that reduces counterparty risk) as a clearing agent to 
facilitate the transaction. 


3. Swap contracts. This is a customizable OTC product in which two parties agree to 
swap economic positions. For example, an interest rate swap could be structured for 
one party to pay a fixed interest rate and receive a variable rate from the 
counterparty. 


4. Call option contracts. The buyer of a call option has the right (not the obligation) to 
buy shares of an underlying security (e.g., shares of stock or an index) at a specified 
(strike) price either at the maturity date (European options) or before the maturity 
date (American options). 


5. Put option contracts. The buyer of a put option has the right (not the obligation) to 
sell shares of an underlying security (e.g., shares of stock or an index) at a specified 
(strike) price either at the maturity date (European options) or before the maturity 
date (American options). 


6. Exotic option contracts. There are many complex options in the global marketplace 
that provide call- and/or put-like features with different twists, like Asian options 
that use average pricing. 

7. Swaption contracts. Much like an option contract, a swaption provides the 
swaption buyer the right (not the obligation) to enter a swap contract at some future 
date but with terms established when the swaption is initiated. 


LT PROFESSOR'S NOTE 
ê These derivatives instruments will be discussed in Book 3. 


Derivatives contracts have different benefits/drawbacks, depending on their trading 
location. Exchange-traded derivatives are attractive to investors seeking liquidity, low 
transaction costs, and reduced counterparty risk (because they are cleared through an 


exchange rather than independent parties). The catch is that they are standardized and 
there may not be an exact match to a risk manager’s need in terms of underlying 
security, timing, or location of delivery. This mismatch is sometimes called basis risk. 
On the other hand, derivatives contracts that are issued through OTC channels can be 
highly customized, but they sometimes lack liquidity, are more expensive, and they 
contain meaningful levels of counterparty risk. An OTC contract could be structured to 
meet the exact need of a business, but risk managers will assume the risk that the 
counterparty might not make good on their end of the contract (counterparty and 
settlement risks). 


Consider an example using the airline industry, which is heavily exposed to jet fuel 
prices. They need as much stability as possible because industry competition is such 
that they cannot pass along jet fuel price volatility to direct customers. There is not an 
exchange-traded product for jet fuel, so airlines could consider using products linked to 
crude oil. This presents basis risk for the airlines and requires them to also manage the 
spread between crude oil and jet fuel. Most carriers prefer to use OTC products that can 
be targeted to jet fuel, but this does present counterparty risk. Delta Airlines tried a 
different approach using vertical integration. They bought an oil refinery, which 
allowed them to control jet fuel prices, but opened them up to the other risks inherent 
in oil refining. Risk managers will need to balance the benefits and drawbacks to select 
the best combination of risks and risk reducers for a given need. 


2) MODULE QUIZ 2.2 
- 1. Jasmine Cellars is a U.S. wine producer that purchases a significant amount of cork 
(from Asia) for its wine bottles. Eighty percent of their sales are to customers in 
North America. Based on these two broad transactions, which of the following risks 
does Cellars most likely face? 
A. Financial position risk and operational risk. 
B. Operational risk and pricing risk. 
C. Pricing risk only. 
D. Financial position risk, operational risk, and pricing risk. 


2. You have just been hired as the vice president of risk management at Johnson 
Controllers. Your new employer is domiciled in the United States, but 35% of their 
sales are in Brazil. The highest priority task is to hedge the firm's exposure to the 
Brazilian real (their currency). You want to use a product that minimizes basis risk 
and can accommodate the firm's dynamic and sometimes unique cash flow patterns. 
Which tool would you least likely recommend? 

A. Futures contracts. 

B. Forward contracts. 
C. Swap contracts. 

D. Call option contracts. 


KEY CONCEPTS 


LO 2.a 
Firms can pick from four different risk management strategies: 
1. Accept the risk. 


2. Avoid the risk. 
3. Mitigate the risk. 
4. Transfer the risk. 


Risk acceptance could be done to actively include a risk factor in company 
performance or because the risk is being passed through to customers. Risk could also 
be avoided. If risk is retained, then it may be desirable to mitigate it through deal 
enhancement (i.e., more collateral on a loan or investing in new technology to offset a 
known risk). Risk can also be transferred to a third party, but this introduces 
counterparty risk into the equation. 


LO 2.b 

A firm’s risk appetite is its willingness to retain risk. It is usually influenced by 
everyone from line managers right on up to senior managers. The company will map 
known risks and determine their potential magnitude, timing, and location. Once the 
risks have been mapped, senior managers and the board of directors can establish 
enterprise-level risk tolerance levels, which will need to be monitored and periodically 
reassessed. 


LO 2.c 

Some of the benefits of deploying a hedging strategy include reduced costs, smoother 
operating performance, enhanced business planning, and the ability to lock-in positive 
results in the short-term. Some of the disadvantages include the potential for 
managerial focus to be shifted away from core operations, compliance costs, the 
possibility that new risks might be introduced in an attempt to minimize other risks, 
and the high level of complexity associated with many hedging strategies. Common 
challenges in the risk management process include misunderstanding or mis-mapping 
risk exposures, managing changes with risk variables in dynamic markets, and internal 
communication breakdowns. 


LO 2.d 

Hedging operational risks attempts to insulate revenues and expenses from unplanned 
risk. These could involve the cost of inputs or the currency impact on domestic 
performance. Financial risk refers to balance sheet items like assets and liabilities. 
Controlling these risks may involve interest rate hedging, among other factors. 
Companies will need to decide if they plan to hedge their operational and financial 
risks in a static (single hedge) or dynamic manner. 


LO 2.e 

A risk management process should be rightsized by determining which limits to 
impose and which risks to retain. Derivatives instruments could be used to physically 
manage risk, including: forward contracts, futures contracts, swap contracts, call option 
contracts, put option contracts, exotic option contracts, and swaption contracts. It is 


very important that a firm understand the benefits and drawbacks associated with 
their risk management tools relative to the status as either exchange-traded or OTC. 


ANSWER KEY FOR MODULE QUIZZES 


Module Quiz 2.1 


1.D Since Bank Y has decided to take a formal action, they have not chosen to either 
retain or avoid the risk. Mitigation would involve taking some internal action 
without using a financial asset. In using futures and forward contracts, Bank Y has 
chosen to transfer their foreign currency risk to a third party. (LO 2.a) 


2.A Risk appetite may be conveyed in a qualitative and/or quantitative manner, 
therefore, qualitative alone may be acceptable. Debtholders would likely be more 
concerned about minimizing all risks because their upside potential is generally 
limited to the rate of interest charged. In contrast, shareholders may be willing 
for the firm to accept a large but unlikely risk to increase equity prices. (LO 2.b) 


3.B The complexity of derivatives pricing means that the pricing may not always be as 
accurate as possible, so it will not always reflect all of the relevant risk factors. As 
a result, in practice, hedging with derivatives may not be a zero-sum game of 
transferring risk between periods or between participants. Hedging involves the 
use of financial derivatives, and insuring involves the use of insurance policies; an 
insurance policy is not considered a financial instrument in the same sense as a 
derivatives instrument. The existence of significant costs of financial distress and 
bankruptcy is contrary to the assumption of perfect capital markets. Hedging 
with derivatives will require disclosure, including some operational information 
that the firm may otherwise prefer to keep private. (LO 2.c) 


Module Quiz 2.2 


1.B Operational risk could cover activities pertaining to Jasmine Cellars’s input 
products (i.e., cork) and products exported to foreign countries (i.e. bottles of 
wine). In addition, there would be pricing risk for both the inputs and outputs. For 
example, the cost of the cork may have a significant impact on Cellars’s ability to 
conduct business in a competitive manner. Also consider that Cellars has sales to 
customers in foreign countries (with payment in the foreign currency) where 
there is the risk of the devaluation of the foreign currency in the future. Financial 
position risk refers to the balance sheet of a firm. Neither the purchases nor the 
sales impact Cellars’s balance sheet. (LO 2.d) 


2.A A futures contract does not provide customization. The firm wants to reduce 
basis risk and provide for a complex and dynamic cash flow pattern. (LO 2.e) 


The following is a review of the Foundations of Risk Management principles designed to address the learning 
objectives set forth by GARP®. Cross-reference to GARP FRM Part I Foundations of Risk Management, Chapter 3. 


READING 3 


THE GOVERNANCE OF RISK 
MANAGEMENT 


Study Session 1 


EXAM FOCUS 


This topic focuses on corporate governance, which is how companies operate, and 
includes the roles of shareholders, senior managers, and the board of directors. For the 
exam, pay attention to the best practices in corporate governance and risk 
management, as well as the interdependence of functional units within a firm’s risk 
management ecosystem. In addition, understand the purpose and function of the main 
board committees, such as risk management, compensation, and audit. 


MODULE 3.1: CORPORATE GOVERNANCE AND RISK 
MANAGEMENT 


In avery broad sense, corporate governance is the series of processes established to 
operate a business. It involves shareholders, senior management, and ultimately, the 
board of directors. This discipline has evolved from a vague principle to a series of 
well-defined best practices in the wake of several high-profile corporate governance 
failures (e.g., Enron [2001], WorldCom [2002], Global Crossing [2002], and Parmalat 
SpA [2003]). As is often the case, U.S. federal legislation (regulation) develops as a result 
of a systemic failure. The Sarbanes-Oxley Act (SOX) of 2002 was once such effort. It 
imposes strict financial reporting and auditing parameters on public companies. 


> PROFESSOR'S NOTE 

“ European regulators decided not to enact a SOX-like rule in their jurisdiction. 
Instead, they chose voluntary reform using a “comply-or-explain” model 
where businesses could elect to not comply with recommended best practices 
as long as they explained their reasoning. 


On July 30, 2003, SOX went into full effect in the United States. This regulation had 
several important practical implications: 


= Chief financial officers (CFOs) and chief executive officers (CEOs) must personally 
verify and certify the accuracy of financial filings with the Securities and Exchange 


Commission (SEC). 


a CFOs and CEOs must attest that all disclosures provide an accurate picture of the 
firm. 


= Certain internal controls (e.g., board of director and audit committee composition) 
are required, and any deficiencies (including uncovered fraudulent activity) must be 
promptly and accurately disclosed to investors and regulators. 

= The firm’s reporting procedures and internal controls must be audited annually. 

= Audit committee member names must be publicly disclosed, and they must 
- beable to understand accounting principles, 
- beable to comprehend financial statements, and 


- have audit experience. 


Regulation and Governance After the Global Financial 
Crisis 

LO 3.a: Explain changes in regulations and corporate risk governance that 
occurred as a result of the 2007-2009 financial crisis. 


The financial crisis of 2007-2009 has been linked to several risk management failures. 
The heart of the crisis revolved around there being too many securitized mortgage 
products (i.e, mortgage-backed securities) that were linked to subprime (i.e., high-risk 
and low-borrower quality) loans. When the subprime loan default rates rose, the 
associated mortgage-backed securities caused massive losses throughout the financial 
system. Some firms were taken to the edge of bankruptcy while others (e.g., Lehman 
Brothers) were forced to stop operations. 


Through the financial crisis, it became apparent that many different financial 
institutions and ratings agencies did not have adequate risk appraisal and control 
systems. These failures flowed from declines in underwriting standards, a general 
breakdown in oversight (i.e., management being more concerned with short-term 
profits than long-term ethical decision-making), and overuse of complicated structured 
products. The recently enacted SOX was not sufficient to prevent the next crisis, which 
began in the United States but spilled over into a global crisis from which it took years 
to recover. 


The following is a list of some of the key lessons learned from risk management failures 
during the financial crisis, with respect to the banking industry: 


= Stakeholder priority. Some firms have a diverse set of stakeholders, such as 
depositors (banking sector), borrowers (banking sector), regulators, employees, 
bondholders, and shareholders. At times, this widely diverse group has competing 
needs, which makes risk management challenging. 


= Board composition. The financial crisis did not provide clear guidance on the 
traditional advice for board composition to be independent, engaged in the process of 
supervision, and a collection of professionals who hold a level of industry expertise. 
In particular, the banking sector showed no difference in outcome, whether board 


directors were internal or external stakeholders. This reality confounds traditional 
logic and was probably the result of external forces that could not be mitigated by 
independence. 


= Board risk oversight. One very clear lesson from the crisis is that board members 
need to be very proactive in the risk management process. Education for board 
members is necessary to ensure recognition of the importance of this role and the 
link between the board and the risk management infrastructure. 


« Risk appetite. The board needs to clearly articulate and communicate the firm’s risk 
appetite to stakeholders. This risk budget should be translated into an enterprise- 
level risk limit system. 


= Compensation. The board should exercise control over management compensation 
regimes to not incentivize undesired risk-taking behavior. Compensation structures 
that use deferred bonus payments and clawback provisions should be considered. 


In the wake of a series of banking-oriented crisis, global banking regulators pooled 
their intellectual resources to form the Basel Committee on Banking Supervision 
(BCBS). This organization is comprised of banking regulators (many of them central 
banks) from 27 global jurisdictions. They devised a series of standards, which follow. 
These standards are not legally binding, although they do present sound risk 
management best practices for firms willing to apply the guidance. 


= Basel I. The Basel Accord of 1988 (Basel I) created a uniform approach for banking 
capital adequacy standards. Basel I flowed out of the preceding Latin American debt 
crisis. This accord focused on managing credit risk by recommending minimum 
capital of 8% of a bank’s risk-weighted assets. 


Basel II. The Basel II framework replaced Basel I in 2006. This regime included both 
trading and lending activities in capital adequacy standards. Basel II also imposed 
disclosure suggestions and standards for bank supervision by regulators. 


« Basel III. In a direct response to the financial crisis of 2007-2009, Basel III was born. 
This system factors both company-specific (idiosyncratic) risk and market-level 
(systematic) risk. 


The current regime (Basel III) limits Tier 1 capital (a core measure of a bank’s 
strength) to include common equity and retained earnings. It also imposes a liquidity 
coverage ratio, where banks must hold enough highly liquid assets to fund 30-day’s 
worth of cash needs. A net stable funding ratio was also established to encourage 
banks to have at least one year’s worth of stable cash flow to fund required operations. 
The last step was to add a macroprudential overlay to lessen systematic risk and 
procyclicality. This overlay consists of five elements: 


1. A leverage ratio (Tier 1 capital/total consolidated assets) cap of 3%. 
2. A countercyclical capital buffer. 


3. All global systemically important banks have minimum total loss-absorbing capital 
standards. 


4. Because of concerns about systemically important markets and infrastructures, 
Basel III is encouraging as many trades as possible to be centrally cleared. This step 


is to minimize counterparty risk. 


5. Risk modeling and stress testing are being modified to better capture tail risk. 


In 2015, the BCBS issued revised guidelines for banking sector risk management. They 
are summarized as follows: 


1. Responsibility of the board of directors. The board has the ultimate responsibility to 
oversee senior management’s implementation of the firm’s risk appetite, strategic 
objectives, and governance framework. 


2. Board composition. All board members should be qualified for their supervisory 


responsibility. They must have topical knowledge as well as the skillset necessary to 
execute their duties. 


3. Policies of the board. The board should establish policies for its own operation that 
reinforce their objectives. 


4, Senior management. The firm’s senior management should conduct the day-to-day 
business operations in accordance with the strategy approved by the board. 


5. Governance for a conglomerate. A conglomerate is a business that is a compilation of 
several other businesses. This is often structured with a parent firm and several child 
firms which conduct daily operations in different functions. The board of the parent 
firm needs to have ultimate oversight over the operations of all members of the 
conglomerate. 


6. Risk management function. There should always be an independent risk management 
function that reports to the board under the daily supervision of a chief risk officer 
(CRO). 

7. Risk identification, monitoring, and control. The board has the ultimate responsibility 
to oversee risk mapping (identification). Once risks are identified, the board needs to 
direct the process of determining if a risk should be retained, avoided, mitigated, or 
transferred. Incumbent in this process is the responsibility to monitor dynamic risks 
on an ongoing basis. 


8. Risk communication. A robust risk management system requires effective 
communication about the firm’s risk appetite and risk management process to all 
levels of the firm. 


9. Compliance. The board is ultimately responsible for overseeing compliance risk 
management. 


10. Internal audit. Periodic audits should be conducted to inform the board of the firm’s 
progress on their risk management process. 


11. Compensation. The board should organize and supervise the firm’s compensation 
structure such that management is held financially accountable for risk decision- 
making. 

12. Disclosure. The firm’s risk management process should be adequately disclosed to 
stakeholders. 


In 2016, Basel III was expanded to include the Fundamental Review of the Trading 
Book (FRTB). This framework is intended to broaden the inclusion of market risk 
exposures. The focus for FRTB is on risk introduced through a bank’s trading desk in 


derivatives, futures (including currency and index exposures), and other complex 
financial assets. 


While the financial crisis of 2007-2009 prompted Basel III, it also resulted the Dodd- 
Frank Act. A little background information is helpful to properly understand Dodd- 
Frank. Previous to 1999, banks operated under the Glass-Steagall Act, which prohibited 
commercial banks from operating investment banking divisions in the same firm. The 
core idea was to protect depositors from trading volatility. The Graham-Leach-Bliley 
Act (introduced in 1999) removed this barrier and permitted bank holding companies 
to reform as financial services holding companies (FSHCs). These FSHCs could combine 
commercial (depository) banking under the same corporate umbrella as investment 
banking, insurance, and broker-dealer services. The result of overwriting Glass-Steagall 
was that Bear Sterns and Merrill Lynch were in such distress that they needed to be 
merged into larger (more stable) financial institutions and Lehman Brothers went 
bankrupt. After the financial crisis, the Dodd-Frank Act was enacted (in July 2010) to 
address several issues related to financial consumer protection and market stability. A 
list of seven key elements of Dodd-Frank follows: 


1. Strengthen the Fed. The Federal Reserve Bank (i.e. the Fed) was given oversight over 
all systemically important financial institutions (SIFIs) with assets greater than $50 
billion. 


2. Ending too big to fail. This legislation ended the too big to fail theory and created an 
orderly liquidation authority to deal with failure of a large financial institution. 


3. Resolution plan. All SIFIs are required to submit a living will to the Fed. This 
document should outline governance resolution planning in the event of corporate 
distress. 


4. Derivatives markets. Dodd-Frank attempted to create more transparency in 
derivatives markets by reducing counterparty risk. Note that this concern was 
clearly echoed in Basel III as well. 


5. The Volker Rule. This infamous rule would re-impose some of Glass-Steagall by 
prohibiting banks from engaging in proprietary trading (trading with the bank’s 
money). 

6. Consumer protection. Dodd-Frank created the Consumer Financial Protection Bureau 
to regulate consumer-facing financial products. 


7. Stress testing. Robust and dynamic stress testing must include a top-down approach 
that incorporates macroeconomic shocks and their impact on several types of risk 
(e.g. credit risk, liquidity risk, market risk, and operational risk). This stress testing 
must be incorporated in a bank’s liquidity planning process, and the outcome will be 
evaluated at the bank level and at the economy level by the Fed. There is one stress 
test performed by the Fed for banks with assets above $10 billion (i.e., the Dodd- 
Frank Act Stress Test) and another test for banks with assets exceeding $50 billion 
(i.e. the Comprehensive Capital Analysis and Review). 


LT PROFESSOR'S NOTE 
ê Europe has also begun considering its own Dodd-Frank replica, which they 
call the Supervisory Review and Evaluation Process. This rule requires stress 


testing and a forward-looking basis for risk planning purposes. 


Governance of Risk Management Best Practices 


LO 3.b: Describe best practices for the governance of a firm’s risk management 
processes. 


Corporate Governance 


The board of directors should be comprised of a majority of independent members to 
maintain a sufficient level of objectivity with regard to making decisions and approving 
management’s decisions. All members should possess a basic knowledge of the firm's 
business and industry, even if they are outside of the industry. Additionally, those who 
lack knowledge should be provided some supplemental training before joining the 
board. 


Recently, the standard view that the board is responsible for serving the best interests 
of shareholders has evolved into a concern for all stakeholders of the firm. This can 
present a challenge because stakeholder interests are not always homogenous. For 
example, debtholders are most concerned with downside risk. They want their 
payments to be secure. However, stockholders would prefer reasonable risk-taking 
behavior in the pursuit of superior returns. Adding in the concerns of regulators, 
employees, and society further complicates the matrix of stakeholder interests. 


Conflicts of interest is a major focal point for the board. This is traditionally thought of 
as agency risk, which is risk associated with owners and operators of a business being 
different groups of people. This is an ever-present concern for the board. One vantage 
point for agency risk considers management incentives to take short-term risks and 
ignore potential long-term impact. For example, many stock-based compensation 
schemes provide managers option grants if they reach short-term targets without 
consideration for the long-term influence of business decision-making. The board 
should be aware of any agency risks whereby management may have the incentive to 
take on greater risks to maximize personal remuneration (e.g., based on short-term 
increases in stock price) that are not consistent with the objectives of the stakeholders 
in terms of long-term risk levels. As a starting point, the compensation committee 
within the board should design management compensation plans so they are congruent 
with corporate goals in addition to minimizing or reducing agency risk. Adding long- 
term goals and a clawback provision (where managers repay bonuses if certain 
actions occur) are some ideas to help in this area. 


Conventional wisdom suggests that the board should remain independent from 
management. This insight translates into practice when the roles of the CEO and the 
chairperson of the board are two different (and independent) people. The board should 
also consider the introduction of a CRO who helps the board understand the firm’s risk 
mapping and risk management process. 


Consider an example using MF Global, which illustrates the importance for board 
independence and the role of a CRO. In 2010, Jon Corzine held the dual roles of CEO and 
chairman of the board of MF Global. Corzine ignored the warnings of his CRO and 


placed substantial proprietary trades in European debt instruments. The Greek 
government was in the middle of a debt crisis, which spilled over into many other 
European sovereign issues. The result was catastrophic losses of approximately $1.6 
billion for MF Global that ultimately resulted in their bankruptcy. There was no 
counterbalance to the CEO’s decision-making because the CEO was also the chairman 
of the board. These roles should be separate and independent for stakeholder 
protection. 


Risk Management 


Each successive macro-level crisis or corporate failure reinforces the need for the 
board of directors to play a central role in a firm’s risk management process. This need 
requires the board to understand the firm’s known risks, their potential impact, and to 
articulate an enterprise-level risk appetite. It is also the board’s responsibility to 
ensure that the firm’s risk appetite is adequately and clearly communicated to 
stakeholders. 


The board of directors should encourage the firm to strive for economic performance, 
not accounting performance. This can be accomplished by ensuring that business 
decision-making is consistent with both authorized risk limits and strategic business 
goals. The board and a sound risk management mindset should influence strategic 
planning as well. In addition, the board should be prepared to pose probing and relevant 
questions to management and other staff in the context of professional skepticism. 
Corroborating information from a variety of sources and staff should increase the 
reliability and validity of the answers obtained. 


From a practical perspective, the board should take the following steps in executing 
their risk management duties: 


1. Clearly articulate an enterprise-level risk appetite. 


2. Determine whether known risks should be retained, avoided, mitigated, or 
transferred. 


3. Establish and maintain a CRO role that reports directly to the CEO with ongoing 
access to the full board as needed. 


4. Establish a risk committee that is comprised of individuals who are knowledgeable 
in the risks faced by the firm. 


5. Connect the work of the compensation committee with the firm’s risk appetite and 
the work of the risk committee. 


6. Maintain an independent audit committee that can monitor relevant actions. 


S MODULE QUIZ 3.1 
=* 1, Which of the following statements was a lesson learned in the aftermath of the 
financial crisis of 2007-2009? 
A. Firms need to prioritize stakeholder interests when diverse/competing 
stakeholder goals are present. 
B. There should be independence on the board of directors, and the role of chief 
executive officer (CEO) and chairperson should be combined when possible. 


C. It is the firm stakeholders who bear the responsibility to clearly articulate an 
enterprise-level risk appetite. 
D. The chief risk officer should exercise control over management compensation 
regimes to not incentivize undesired risk-taking behavior. 
2. Which of the following statements is not a key responsibility of the board of 
directors relative to risk management? 


A. Establish an enterprise-level risk appetite. 

B. Establish an audit committee, which is chaired by the firm's chief financial 
officer (CFO). 

C. Establish a risk committee to inform the risk management process for the full 
board. 

D. Establish and maintain a chief risk officer (CRO) role that reports to the chief 
executive officer (CEO) but retains full access to the board. 


MODULE 3.2: RISK GOVERNANCE IMPLEMENTATION 


LO 3.c: Explain the risk management role and responsibilities of a firm’s board 
of directors. 


In terms of risk governance, the board has some important responsibilities that could 
be facilitated with the involvement of a risk advisory director. Given the specialized 
role of the risk management and compensation committees, the specific duties of the 
risk advisory director are highlighted here. 


Risk Advisory Director 


Sometimes, a firm’s board can include many individuals with experience from outside 
the firm’s industry. When this happens, it is recommended to have an independent risk 
advisory director — a board member who intimately understands the risk factors of a 
given industry and can advise the board on specialized risk exposures. This individual 
should attend risk committee and audit committee meetings to provide industry- 
specific guidance. The risk advisory director also meets with senior management on a 
regular basis and could be viewed as a liaison between the board and management. 
Overall, the role involves educating members on best practices in both corporate 
governance and risk management. 


With or without the assistance of a risk advisory director, the board’s duties include 
the review and analysis of the following: 

« The firm’s risk management policies 

= The firm’s periodic risk management reports 

= The firm’s risk appetite and its impact on business strategy 

= The firm’s internal controls 

« The firm’s financial statements and disclosures 

= The firm’s related parties and related party transactions 

= Any audit reports from internal or external audits 


= Corporate governance best practices for the industry 


= Risk management practices of competitors and the industry 


Risk Management Committee 


The risk management committee (a subset of the full board of directors) is responsible 
for setting the firm's risk appetite and independently monitoring ongoing risk 
management. Members will maintain contact with both internal and external auditors 
to ensure compliance with all relevant policies (e.g., regulations and internal risk 
limits). This committee is also charged with supervision of all known risks of the firm 
and approving high-level risk decisions. In a banking context, they would be involved 
with approving credit facilities that are above certain limits or within limits but above 
a specific threshold. 


Compensation Committee 


As discussed previously, the existence of agency risk necessitates the board to 
implement a compensation committee to ensure appropriate risk taking in relation to 
the long-term risks assumed. The compensation committee is independent of 
management. Its role is to discuss and approve the remuneration of key management 
personnel. 


Management compensation above base salary should be congruent with the goals of the 
other stakeholders. In that regard, the committee should avoid designing compensation 
plans (e.g., stock-based compensation) with bonuses based on short-term profits or 
revenues, given the relative ease in which management may manipulate those amounts. 
Furthermore, the committee may consider introducing elements of downside risk with 
management compensation. For example, compensation may be deferred until long- 
term results are known, or there could be clawbacks of previous bonuses paid if long- 
term results are inconsistent with short-term results. Another idea is to provide bonus 
bonds as compensation that would be taken away should a specific regulatory ratio 
requirement be breached. 


Risk Appetite vs. Business Strategy 


LO 3.d: Evaluate the relationship between a firm’s risk appetite and its business 
strategy, including the role of incentives. 


There must be consistency between the firm’s risk appetite and its business strategy. If 
the firm’s strategic goal is to make profitable loans, then risk limits will impose credit 
risk parameters. If the goal is smooth operations, then futures may be needed to 
address operational risks or foreign currency risks. In all circumstances, a firm’s risk 
appetite should reflect its tolerance to accept risk. 


Understanding the risk supervision hierarchy is important in pursuit of linking risk 
tolerance to business strategy. The board sets the enterprise-level risk appetite through 
the risk committee, which is a subset of the full board. The CRO is responsible for day- 
to-day risk supervision and is able to approve temporary breaches of communicated 
risk limits as long as the enterprise-level risk limits are still within board-established 


tolerance bands. The CRO should report to the CEO; however, the CRO functionally 
operates as a liaison between the board and senior management. The CRO will also sit 
on the firm’s senior risk management team (along with the CEO, the CFO, the treasurer, 
the chief compliance officer, and executives in charge of each function business unit). 


It can sometimes be a challenge to strike a balance between business 
objectives/opportunities and risk limits. There exists a natural tension where an 
activity fits the business objectives but not the risk goals. For example, a bank might be 
considering a potentially profitable new loan that would extend beyond approved 
credit risk limits. The CRO (and ultimately the risk committee) can approve an 
extension or decline the loan. 


The risk appetite is operationalized through risk limits, which can be monitored 
through stress testing and value at risk (VaR) analysis at both the asset-class-level and 
at the business unit level. Functionally, the limits should be designed such that normal 
business activity will not trigger a limit breach and there should be a margin for error 
built into the process. As risks are monitored (on an intraday basis) by frontline 
employees, exceptions (risk limit breach requests) will exist. The CRO should have an 
active plan to identify these requests in writing, and consider approval of temporary 
limit extensions to minimize opportunity costs. It is very important that any risk limit 
exceptions be documented in writing (in the daily risk limit exception report) and 
presented to the risk committee for its awareness and review. 


Relatedly, the compensation committee needs to ensure that managerial remuneration 
reinforces the firm’s risk appetite. In many cases, bonus structures incentivize short- 
term profits and ignore long-term risk exposures. In this manner, bonus structures often 
have an asymmetric, call option-like payoff profile in which managers enjoy the gain of 
profits but avoid the pain of losses. Compensation regimes need to be reimagined as a 
part of the firm’s risk culture. In the wake of the financial crisis of 2007-2009, the G20 
countries recommended a specific series of managerial compensation reforms, which 
are enumerated as follows: 


1. Eliminate multi-year bonus guarantees. 

2. Make supplementary compensation symmetrical by using deferred payment features 
and clawback provisions to encourage long-term thinking. 

3. Limit the amount of incentive-based compensation (often set at 100% of salary or 
200% with shareholder approval). 


4. Establish disclosure requirements to make compensation packages more transparent 
for stakeholders. 


5. Affirm the independence of the compensation subcommittee of the full board. 


Recently, compensation committees have devised a new structure known as a bonus 
bond, which is a bond that only pays a benefit if certain thresholds are met. The Swiss 
bank, UBS, uses this system, and their executives will lose the bonus bond if regulatory 
capital ratios fall below 7.5%. 


Interdependence of Functional Units 


LO 3.e: Illustrate the interdependence of functional units within a firm as it 
relates to risk management. 


The various functional units within a firm are dependent on each other when it comes 
to risk management and reporting. While the risk committee oversees the firm’s risk 
management process and the CRO monitors day-to-day risk limits, it is the frontline 
managers and employees who implement the firm’s risk policy. The interdependence of 
managing risk among these functional units is illustrated in Figure 3.1. 


Figure 3.1: Interdependence 


A 
A 


ZN 


Risk Business 
Management Unit 


\ 7 


= | & 
= | 


There are many examples of interdependence among the functional units. Senior 
management (with supervision and assistance from the risk committee) sets the firm's 
risk appetite, designs and oversees risk policy, and evaluates performance relative to 
risk limits. At the business unit level, the firm’s approved risk policy is implemented, 
and any exceptions are promptly identified. The finance and operation functions 
physically execute risk mitigation and transfer transactions. They also analyze current 
risk management tools to ensure that risk limits are maintained, and these departments 
help in the risk and business planning processes. The risk management function (led by 
the CRO) monitors risk limits and controls, manages the risk management process, and 
regularly communicates with senior management and the risk committee. 


Audit Committee 


LO 3.f: Assess the role and responsibilities of a firm’s audit committee. 


The audit committee (a subcommittee of the full board) has traditionally been 
responsible for the reasonable accuracy of the firm’s financial statements and its 
regulatory reporting requirements. They also have responsibilities related to the firm’s 
risk management process. They need to ensure that board-established policies are 
being followed and that those policies are sufficient to adequately monitor and control 
risk exposures. 


The firm’s internal auditors report to the audit committee and they are responsible for 
monitoring risk management procedures, tracking the progress of existing systems, and 
affirming the efficacy of the existing policies/systems. In addition, the internal auditors 
should also verify adherence to compliance standards and offer an opinion on the 
validity of calculated risk metrics like VaR. When market risk is involved, the audit 
function should validate any pricing models (e.g., derivatives valuation) used for risk 
monitoring. Another key role is to offer an opinion on the assumptions (i.e. volatility, 
correlations, etc.) used in internal risk estimation. In January 2017, the Institute of 
Internal Auditors issued a revised set of standards, which are country-specific, to help 
direct audit standards to a minimum level of robustness. 


A central requirement for a viable audit committee is independence from the 
underlying business activity. The audit function needs to remain independent from the 
day-to-day implementation of risk management policies. Additionally, all members of 
the audit committee must possess sufficient financial knowledge to perform in their 
role. This requires an understanding of the relevant accounting rules (e.g., U.S. GAAP, 
IFRS), financial statements, and internal controls. As a collective, there should be a 
proper balance of independence, knowledge of the business, and ability to ask probing 
and relevant questions. The audit committee is largely meant to be independent of 
management, but it should work with management and communicate frequently to 
ensure that any issues arising are addressed and resolved. 


S MODULE QUIZ 3.2 
Z> 1, The role of a risk advisory director is to: 
A. lead the compensation committee. 
B. assume responsibility for setting the enterprise-level risk appetite. 
C. provide advice to the executive team of the company. 
D. provide risk-oriented expertise to the board when it is primarily comprised of 
people from industries unrelated to the subject firm. 


2. Which of the following statements regarding the firm's risk appetite and/or its 
business strategy is most accurate? 
A. The firm's risk appetite does not consider its willingness to accept risk. 
B. The board needs to work with management to develop the firm's overall strategic 
plan. 
C. Management will set the firm's risk appetite and the board will provide its 
approval of the strategic plan. 


D. Management should obtain the risk management team's approval once the business 
planning process is finalized. 
3. The various functional units of a firm are highly interconnected. Which unit is 
responsible for executing risk mitigation and transfer? 
A. Senior management. 
B. Individual business units. 
C. Finance and operations. 
D. Risk management office. 
4. Which of the following statements regarding the role of the firm's audit committee 
is most accurate? 
A. At least one member of the audit committee must possess sufficient financial 
knowledge. 
B. The audit committee has responsibilities related to the firm's risk management 
process. 
C. The audit committee is only responsible for the accuracy of the financial 
statements. 
D. The audit committee is meant to work dependently with management. 


KEY CONCEPTS 


LO 3.a 
The risk management failures during the financial crisis of 2007-2009 taught several 
key lessons: 


= The needs of all of the firms’ stakeholders must be considered. 
= The board needs to have competent and independent directors. 


= The board needs to take a highly proactive role in the firm’s risk management 
process. 


« The firm’s risk appetite needs to be clearly articulated by the board. 


= Compensation should be structured to better align management behavior with long- 
term stakeholder priorities as determined by the board. 


Basel III and the Dodd-Frank Act were also issued in response to the financial crisis of 
2007-2009. Their goals are to focus banks on capital adequacy measures and to prevent 
commercial banks from engaging in proprietary trading (among other things). 


LO 3.b 

Best practices in corporate governance include factors like board member 
independence, competency standards for board members, consideration of all 
stakeholders, and structuring managerial compensation packages to flow out of risk 
management goals. There should also be separation between the CEO and the 
chairperson of the board so that there is true accountability (i.e., there needs to be two 
different individuals, not one). One of the duties of the board is to supervise the risk 
management process. Best practices for risk management include adequately mapping 
risks and specifying an enterprise-level risk appetite, which needs to be communicated 
throughout the organization. 


LO 3.c 

The board of directors has ultimate responsibility for enterprise-level risk 
management. If the board does not have sufficient expertise to adequately understand, 
map, and manage the firm’s risk exposures, then they need to recruit a risk advisory 
director (an independent expert in industry-specific risk factors) to the board and to 
the risk management committee. The risk management committee will make all risk 
appetite decisions and then bring these discussions back to the full board for their 
awareness. The compensation committee is charged with aligning managerial 
compensation with long-term stakeholder needs. 


LO 3.d 

A firm’s risk appetite must fit with its business strategy. This process involves an in- 
depth understanding of the firm’s objectives. Sometimes the risk appetite will limit 
available opportunities. For example, a bank may need to decline a loan if it would push 
the bank over its risk limits. Compensation should also be aligned to encourage long- 
term risk awareness and not reward only short-term profit-seeking behaviors. 


LO 3.e 

The various functional units of a firm are interconnected. Senior management, business 
units, finance and operation functions, and risk management all work together to 
conduct the firm’s risk management process. Frontline managers are vital in this 
process and the CRO communicates progress to senior management and the risk 
committee on a very regular basis. 


LO 3.f 

The audit committee is a subcommittee of the full board. Members traditionally 
monitor compliance with accounting standards, but they also have a role to play in 
supervision of risk management policies. They need to verify that policies are being 
followed and offer opinions on the variables used in testing exposures, as well as the 
functional value of the current risk management systems. These opinions are informed 
by internal auditors and are collected and transferred to the full board for further 
consideration. 


ANSWER KEY FOR MODULE QUIZZES 


Module Quiz 3.1 


1.A When a firm has a diverse group of stakeholders with potentially competing 
interests, the board needs to prioritize which stakeholder goals will have the 
highest priority. The board should include independent members, but the role of 
CEO and chairperson should be separated if possible. When they are combined, 
there is a potential governance issues because the chairperson cannot effectively 
supervise the CEO if they are the same person. The board of directors is 
responsible for articulating enterprise-level risk appetite. Their decision is 
usually informed by the work of risk committee. The board should exercise 


control over management compensation regimes to not incentivize undesired 
risk-taking behavior. (LO 3.a) 


2.B The board of directors does establish an enterprise-level risk appetite. They 
should establish an audit committee, but it must be independent from 
management. It would be a conflict of interest to have the CFO on the committee, 
much less acting as the committee chair. The risk committee is a subset of the full 
board, and they inform the risk management process for the full board. Another 
responsibility is to create a CRO role who will report to the CEO but retains 
access to the full board if any issues arise. (LO 3.b) 


Module Quiz 3.2 


1.D Arisk advisory director is a board member who is brought in specifically to 
provide industry-specific risk expertise to board members who are from other 
industries. This individual is a member of the full board and may be placed on 
other committees such as the compensation committee, the risk committee, or 
the audit committee without a mandatory mandate for leadership. This person’s 
role is to advise the board and not just the executive team. (LO 3.c) 


2.B The board needs to develop/approve the firm’s risk appetite as well as assist 
management in developing the firm’s overall strategic plan. The firm’s risk 
appetite considers its willingness to accept risk. Both management and the board 
will set the firm’s risk appetite. Management should involve the risk management 
team in the business planning process right from the outset to ensure the 
consistency between risk appetite and business strategy. (LO 3.d) 


3.C Each functional unit has a role to play. Senior management sets risk policy. 
Business units implement risk policy. The finance and operations unit executes 
risk mitigation and transfer strategies, while the risk management office 
supervises and manages the overall risk management process. (LO 3.e) 


4.B The audit committee has responsibilities related to the firm’s risk management 
process. All members of the audit committee have responsibilities related to the 
firm’s risk management process. The audit committee is responsible for the 
accuracy of the financial statements but that alone does not comprise its main 
responsibility. Additionally, the audit committee monitors the underlying systems 
in place regarding financial reporting, regulatory compliance, internal controls, 
and risk management. The audit committee is largely meant to be independent of 
management, but it should work with management and communicate frequently 
to ensure that any issues arising are addressed and resolved. (LO 3.f) 


The following is a review of the Foundations of Risk Management principles designed to address the learning 
objectives set forth by GARP®. Cross-reference to GARP FRM Part I Foundations of Risk Management, Chapter 4. 


READING 4 


CREDIT RISK TRANSFER 
MECHANISMS 


Study Session 1 


EXAM FOCUS 


This reading focuses on ways credit risk can be mitigated and transferred by a bank. For 
the exam, understand how credit default swaps (CDSs) and collateralized debt 
obligations (CDOs) enable risk transfer, and the role that credit derivatives played in 
the financial crisis of 2007-2009. Also, understand the various mechanisms for risk 
transfer, including marking-to-market, exposure netting, and the collateral process. 
Finally, be familiar with the securitization process and the originate-to-distribute 
model. 


MODULE 4.1: CREDIT RISK TRANSFER 
Types of Credit Derivatives 


LO 4.a: Compare different types of credit derivatives, explain their applications, 
and describe their advantages. 


Credit risk, the risk of a borrower defaulting, is the core risk exposure held by a bank. 
Alan Greenspan, the chairman of the Federal Reserve Bank in 2002, argued that the U.S. 
banking system weathered the 2001-2002 economic slowdown by using novel credit 
risk transfer tools, including CDSs, CDOs, and collateralized loans obligations. These 
credit derivatives are essentially off-balance sheet instruments that enable institutions 
to isolate and transfer very specific risk exposures. 


LT PROFESSOR'S NOTE 
ê There are a few challenges that each counterparty to a credit derivative needs 
to consider. They should understand the credit risk exposure being retained, 
what could trigger a loss, and all obligations associated with their directional 
bet (i.e. buying or selling the credit derivative). 


Credit Default Swaps 

Credit default swaps (CDSs) are financial derivatives that pay off when the issuer of a 
reference instrument (e.g., a corporate bond or a securitized fixed income instrument) 
defaults. This is a very direct way to measure and transfer credit risk. These derivatives 
function like an insurance contract in which a buyer makes regular (quarterly) 
premium payments, and in return, they receive a payment in the event of a default. 


Advantages of CDSs include: 


= Spur innovation. Conceptually, CDS buyers are protected from credit risk. This 
enables them to fund riskier opportunities than they otherwise might comfortably 
support. This access to capital could spur innovation and boost economic growth. 


= Cash-flow potential. CDS sellers create a stream of payments that could bea 
significant source of cash flow. Theoretically, they can diversify the CDS contracts 
across industries and geographies such that defaults in one area should be offset by 
fees from CDSs that have not been triggered through default. 


a Risk price discovery. The use of a CDS enables price discovery of a specific credit risk. 
Bonds also provide credit risk price discovery, but this service is blurred because 
their prices also include other risks, such as interest rate risk. A CDS is a pure play on 
pricing a given borrower’s credit risk. 


Disadvantages of CDSs include: 


= Historically weak regulation. CDS contracts were unregulated until after the financial 
crisis of 2007-2009. Lack of regulation meant that counterparty risk existed because 
CDS buyers were not guaranteed that the CDS seller could make good on the promise 
of credit risk mitigation. 


= False sense of security. The presence of a CDS contract creates a false sense of security 
for fixed income buyers, who could support an issuer that is far riskier than they 
would support without the presence of credit risk transfer. This can be both an 
advantage (access to capital) and a disadvantage (excessive risk-taking behavior), 
depending upon one’s vantage point. 


Collateralized Debt Obligations 


A collateralized debt obligation (CDO) is a structured product that banks can use to 
unburden themselves of credit risk. These financial assets are repacked loans which are 
then sold to investors on the secondary markets. A CDO could include some 
combination of asset-backed securities (ABSs) which could include mortgages 
(commercial or residential), auto loans, credit card debt, or some other loan product. 
Typically, the loans included in a CDO are heavily biased toward mortgage debt through 
a securitized basket of mortgages called a mortgage-backed security (MBS). When a 
CDO consists only of mortgage loans, it is technically known as a collateralized 
mortgage obligation (CMO). 


A CDO may also contain securitized short-term corporate borrowings through a 
product called asset-backed commercial paper. Sometimes, a CDO will contain 
repackaged portions of another collateralized debt obligation that could not be sold 
directly to investors. This product is then called a CDO-squared, and it enables riskier 


portions of loans to be bundled with lower-risk loans to attract investor interest. The 
added complexity of a CDO-squared is primarily intended to make the product easier to 
market to potential investors and not to enhance risk mitigation potential. 


Financial engineers determine how to organize a CDO’s constituent loans into 
investable tranches (a French word meaning slices). These tranches are structured to 
distribute credit risk and to meet rating agency requirements. The most junior tranche 
offers a high interest rate but receives cash flows only after all other tranches have 
been paid. For this reason, this most junior tranche is sometimes referred to as the 
equity tranche or even toxic waste. Above the equity tranche are the mezzanine 
tranches, which receive payment before the junior tranches. The highest-rated tranche, 
called the super senior tranche (often rated AAA), is the safest tranche and the first 
tranche to be paid out; however, it pays investors a relatively low interest rate. 


Advantages of CDOs include: 


= Increased profit potential. Banks have the ability to source loans, repackage them into 
a structured product, and then use the proceeds from selling the repackaged loans to 
source new loans. This cycle enables banks to increase loan turnover and therefore 
increase profit potential. 


= Direct risk transfer. Through the securitization process, banks will effectively transfer 
credit risk to investors. 


= Loan access. Since the bank is repackaging and selling the loans, individuals who 
otherwise might not be able to access a loan may now have access. 


Disadvantages of CDOs include: 


= Encourages increased risk taking. Since banks have the ability to transfer credit risk, 
they may source loans that are riskier than they otherwise would accept. This 
behavior could result in unexpected risk for investors. 


= Risk concentration potential. These structured products could unknowingly (on the 
part of investors) concentrate exposure to high-risk borrowers, who may default and 
cause investors to experience unexpected losses. 


= High complexity. Structured products are very complex. They may be difficult for an 
investor, a rating agency, or a regulator to fully understand. 


Collateralized Loan Obligations 

A collateralized loan obligation (CLO) is a structured product that is extremely 
similar to a CDO. Like a CDO, they are a bundle of repackaged loans that are organized 
into tranches. However, a CLO’s constituent loans are predominantly bank loans, which 
have typically been exposed to a rigorous underwriting process. CLOs did not 
experience the same level of defaults that plagued the CDO market (largely due to 
heavy exposure to mortgages in the CDO space). For this reason, CLOs continued to 
attract investor interest in the wake of the financial crisis of 2007-2009, while CDOs 
lost interest quickly. 


Reducing Credit Risk Exposure 


LO 4.b: Explain different traditional approaches or mechanisms that firms can 
use to help mitigate credit risk. 


Beyond the direct use of credit derivatives, banks have several different traditional 
approaches that can be used to transfer credit risk. These mechanisms are listed as 
follows: 


Purchase third-party insurance. A bank can directly purchase insurance against the 
failure of either a single borrower or a group of borrowers. If a single borrower is 
being insured, then this insurance overlay is technically called a guarantee. This is 
routinely done when issuing loans to municipalities. The Municipal Bond Insurance 
Association is one example of a firm that provides third-party insurance specifically 
to the municipal bond market. 


Exposure netting. When a bank has multiple risk product exposures to the same 
counterparty, it is common to net those exposures in terms of their ultimate financial 
impact. 

Marking-to-market. Counterparties will periodically revalue credit derivatives and 
immediately transfer any required payments to the winning counterparty. This 
prevents the risk of one party not having sufficient funds to make a balloon payment 
at the end of a credit derivative’s maturity. Marking-to-market is primarily used with 
exchange-traded derivatives. 


Requiring collateral. Many banks require that borrowers post collateral when 
creating a new loan. The collateral may offset the lender’s credit risk exposure. 
However, there is the potential for wrong way risk, which occurs when the value of 
the collateral is negatively impacted by the same factors that cause the firm to 
potentially default on a loan. For example, an energy company might take out a loan 
to acquire barrels of oil that are needed in their production process. The barrels of oil 
are the collateral for the loan. If oil prices drop, then the firm may have operational 
issues that could trigger a default. At the same time, the value of their collateral has 
also declined. 


Termination clause. A bank might include a clause in a credit risk transfer transaction 
that would cause the position to terminate if a given trigger event occurs. Examples 
of triggers could be a downgrade or missing financial metrics (e.g, gross profit levels 
or interest coverage). 


Reassignment. A bank could have an agreement to automatically transfer credit risk 
to a third party in the event of a trigger (e.g., downgrade). 


Additionally, banks may decide to disperse credit risk for a given loan across a number 
of other lenders. This credit risk tool is known as syndication. This mechanism is only 
used for very large loans. Typically, the lead bank in the syndicate will retain 
approximately 20% of the loan and find a series of other banks that are willing to hold 
the remaining 80%. The syndicate arrangement could be either a firm commitment or 
on a best-effort’s basis. A firm commitment exists when a lead bank guarantees an 
issuer that it will get the full loan requested. If the lead bank cannot find other banks to 


share the credit risk, then they will be forced to assume all risk themselves. However, a 
syndicate agreement on a best-efforts basis provides issuers no guarantee that they 
will be able to borrow all of the desired funds. The lead bank will do its best to secure 
partner banks, but if it is not successful, then the issuer may receive fewer loan 
proceeds than desired. 


LT PROFESSOR'S NOTE 
ê One challenge with the syndication approach is that is does not inherently 
enable targeted risks to be transferred. The bank will retain all risks 
associated with the portion of the loan that it retains. Its primary alternative 
is to use credit derivatives in addition to a syndication approach to transfer 
any undesired risks. 


Credit Derivatives in the Global Financial Crisis 


LO 4.c: Evaluate the role of credit derivatives in the 2007-2009 financial crisis 
and explain changes in the credit derivative market that occurred as a result of 
the crisis. 


The financial crisis of 2007-2009 was a real-world test of how credit derivatives 
transfer risk. This crisis highlighted a systemic concentration risk that occurred when 
too few liquidity providers were counterparties for all credit derivatives and the size of 
the exposure was much larger than market participants realized. Consider that the 
credit default swap market in 2007 ballooned to $45 trillion in notional value. This was 
a larger dollar amount than U.S. equities, U.S. Treasuries, and outstanding mortgages 
combined. In part, it grew as large as it did because of investors buying CDSs against 
assets that they did not own. They were essentially trying to profit from negative 
market actions. 


As was previously discussed, CDSs hold counterparty risk. This reality came into full 
view when Lehman Brothers filed for bankruptcy in a surprise event. Approximately 
$400 billion of Lehman’s $600 billion in outstanding debt was covered by CDSs. When 
they collapsed, the CDS sellers (e.g, American International Group [AIG] and the Citadel 
hedge fund company) also almost collapsed because they had not anticipated all of the 
CDS contracts coming due at the same time. When the CDS market collapsed, so did 
investors’ appetites for the risky assets that were being demanded because of the 
ability to transfer credit risk. 


CDOs were also actors in the backdrop for the financial crisis. Recall that a core feature 
of these structured products is to allow multiple loans to be removed from a bank’s 
balance sheet. These repackaged loans are then bundled into a new fixed income 
derivative asset and are sold to investors. Essentially, loans to high-risk borrowers were 
initiated so that they could be repackaged and sold. The frequent use of adjustable-rate 
loans and subprime (a very high-risk borrower) loans eventually caught up with reality. 
When the adjustable-rate loans began to hit their rate reset dates, borrowers found 
themselves unable to pay their debts. The resulting elevated default levels completely 


halted investor interest in CDO products. This occurrence left banks holding onto a 
large inventory of loans that they could not repackage and sell any longer. 


The Federal Reserve’s management of the federal funds rate also had an impact on the 
crisis. They raised this critical market rate from 2004 to 2006. This raising cycle 
coincided with rate reset dates on adjustable-rate mortgages. At the same time that 
consumer payments were rising to unaffordable levels, home prices were falling. This 
meant that mortgage borrowers could no longer afford their payments and they could 
not sell their homes. The result was widespread defaults that ultimately rippled 
through MBSs, CDOs, and CDO-squared products. Ultimately, the problem was not the 
existence of credit risk transfer tools, but rather the misuse (and sometimes abuse) of 
these tools. 


The Dodd-Frank Wall Street Reform Act of 2009 (Dodd-Frank) was created to address 
regulatory shortcomings that helped allow the storm to build leading up to the 
financial crisis. The embedded Volcker rule prohibited commercial (depository) banks 
from proprietary trading and from investing in derivatives (i.e., CDSs). It also required 


the Commodity Futures Trading Commission to regulate all swap contracts, including 
CDSs. 


More recently, the Securities and Exchange Commission (SEC) added a new rule— 
Section 15G—to the Securities and Exchange Act in 2014. This regulation requires that 
originators of securitized products (e.g., MBSs, CDOs, and CLOs) must retain at least 5% 
of the credit risk on their balance sheet. Section 15G was designed to force originators 
to be more concerned with the products that they repackage for sale to investors. It is 
important to note that originators are not allowed to transfer or mitigate this 5% 
exposure. They must retain this credit risk in its raw form. 


Securitization and Special Purpose Vehicles 


LO 4.d: Explain the process of securitization, describe a special purpose vehicle 
(SPV), and assess the risk of different business models that banks can use for 
securitized products. 


Securitization is the general process of repackaging loans into a bundled new product 
that can be sold to investors on the secondary markets. This process involves four key 
steps: 

1. Create a special purpose vehicle (SPV), which is an off-balance sheet legal entity 
that functions as a semi-hidden subsidiary of the issuing parent company. An SPV 
will hold financial assets in such a way that is opaque for investors to analyze. 

2. The SPV will use borrowed funds to purchase loan assets from one bank or possibly 
several banks to create structured products (e.g., CMO, CDO, or CLO). 


3. The SPV’s constituent loans will be arranged by either seniority or credit rating and 
structured into tranches to form risk layers within the SPV. 


4. The various tranches are then sold to investors on the secondary markets. 


There are several types of loans that could be brought into an SPV to form a structured 
loan product. They may include commercial mortgages, residential mortgages, auto 
loans, credit card loans, student loans, and other loans that were not able to be 
repacked in another product within an SPV. Below is a brief historical perspective on 
securitized products, which eventually evolved into the products that helped form the 
backdrop for the financial crisis of 2007-2009. 

« The first mortgage-backed securities were issued in 1970. 

= The first structured CMO was issued by Freddie Mac in 1983. 

= Chrysler Financial issued the first auto loan-backed ABS in 1985. 

= The first CDO and the first credit card-backed ABS were both issued in 1987. 


a CLOs were introduced in early 1990s. 


When sourcing loans, banks can choose between two high-level business models. The 
traditional model is referred to as the buy-and-hold strategy. In this approach, banks 
will source a loan and then retain it on their books. They enjoy periodic interest 
payments to compensate for holding credit risk. The innovation enabled by 
securitization is the originate-to-distribute (OTD) model. The OTD model involves 
banks sourcing loans with the explicit intention to securitize them and sell the 
structured products to investors. With this model, banks do not retain credit risk and 
they are paid a fee for sourcing the loans that feed into the securitized products rather 
than receiving interest payments, which belong to the investors in the structured 
products. The incentive in the OTD model is to generate high loan volume, not high- 
quality loans, which is the incentive in the buy-and-hold model. 


LT PROFESSOR'S NOTE 
ê Enthusiasm for the OTD model was partially driven by the Basel capital 
adequacy requirements, which were easier to obtain when certain liabilities 
were held in an off-balance-sheet format. 


Advantages of the OTD model include: 


= Bank profitability. Short-term earnings volatility could be lowered, and capital could 
be optimized using the OTD model. 


= Risk management. Credit risk and interest rate risk could be distributed across 
various market participants. 


« Investor options. Investors had new access to a wider selection of credit products. 
These diversifiers were previously not directly available. 


= Loan access. The OTD model enabled borrowers access to more credit products with 
lower borrowing costs. 


Disadvantages of the OTD model include: 
= Moral hazard. Since banks were sourcing and selling loans, they did not have an 
incentive to ensure the highest underwriting standards were maintained. 


= Misaligned incentives. The OTD model encouraged a focus on short-term profitability 
instead of long-term stability or sustainability. 


= Opaqueness. The lack of transparency in the process for investors made it difficult to 
accurately understand the risks they were assuming. 


The securitization process, which was fed by the OTD model, helped to form the 
backdrop for the financial crisis of 2007-2009. One of the problems was when banks 
underestimated the inherent credit risk and held loans that were sourced through an 
OTD model for their own investing purposes. Sometimes banks would retain 
securitized products in a highly leveraged off-balance sheet asset known as a 
structured investment vehicle (SIV). The purpose of a SIV was to profit from interest 
rate spreads, but it backfired on banks when the underlying loan default rate 
skyrocketed during the crisis. 


LT PROFESSOR'S NOTE 
* An SIV is a type of SPV that focuses on the difference between short-term and 
long-term rates. 


=) MODULE QUIZ 4.4 
= 1. From the perspective of a bank, which of the following is not an advantage of using a 
collateralized debt obligation (CDO) to transfer credit risk? 
A. Bank profitability can be accelerated due to higher loan turnover. 
B. Credit risk is effectively transferred to investors. 
C. There will always be a market for CDO products. 
D. A larger pool of potential borrowers will exist due to less concern for lending 
(underwriting) standards. 


2. Which of the following is not a traditional credit risk transfer approach used by 
banks? 
A. Marking-to-market. 
B. Call feature. 
C. Exposure netting. 
D. Loan syndication. 


3. Which of the following was not a direct cause of the financial crisis of 2007-2009? 
A. The use of credit derivatives. 
B. Weak regulation. 
C. Excessive speculation. 
D. Adjustable-rate loan rate resets. 


4. Which of the following is not a strength of the securitization process? 


A. Enhances credit product access for low-quality borrowers. 

B. Credit risk can be distributed to multiple market participants. 
C. Enables a transparent four-step process. 

D. Enables borrowers to lower their borrowing costs. 


KEY CONCEPTS 


LO 4.a 


Credit risk is the risk of a borrower defaulting. Three derivative products helped to 
transfer credit risk leading up to financial crisis of 2007-2009. Credit default swaps 
(CDSs) enable an investor to transfer credit risk on a loan product to an insurance 


company. They pay a quarterly insurance premium to buy downside protection. 
Collateralized debt obligations (CDOs) enable loan originators to repackage loan 
products into large baskets of loans and then resell those bundles of loans to investors 
on the secondary markets. A CDO is a structured product that is organized in tranches 
(slices of bundled loans) with differing exposures to default risk. A collateralized loan 
obligation (CLO) is very similar to a CDO except that it holds primarily underwritten 
bank loans as opposed to the mortgage bias of CDOs. 


LO 4.b 

Banks may use various traditional approaches to transfer credit risk exposures. They 
include purchasing third-party insurance, exposure netting, marking-to-market, 
requiring collateral, including termination clauses, and possibly loan reassignment. 
Another option is to syndicate a loan. In this approach, a lead bank will retain some of 
the loan and find other banks to hold the remainder of the desired loan amount. These 
approaches may involve credit derivatives as a part of the risk mitigation strategy. 


LO 4.c 

The existence of credit derivatives did not cause the financial crisis of 2007-2009, but 
the misuse of these products certainly did. Investors used CDS contracts for speculation 
rather than risk mitigation. Collateralized debt obligations also held a very complex 
mixture of mortgages that included both subprime loans and adjustable-rate loans as 
well. 


There was a perfect storm when the Federal Reserve began raising rates, adjustable- 
rate loans attained their reset date and produced unaffordable payments, and the 
housing market declined, causing home prices to drop. This confluence of factors led to 
massive defaults that rippled through the MBS and CDO markets. Banks then became 
reluctant to lend to each other while some were going bankrupt. As typically happens 
after a crisis, new regulation was created. Dodd-Frank was formed to better regulate 
the credit derivatives space and to keep bank trading in check. The SEC also added 
Section 15G to further protect investors. 


LO 4.d 

The securitization process involves a bank sourcing loans, transferring them to an off- 
balance sheet entity known as a special purpose vehicle (SPV), organizing the loans into 
tranches, and ultimately selling the structured loan products to investors. This risk 
transfer mechanism has potential issues for investors when the originate-to-distribute 
(OTD) model sources loans with low quality in such a way that disguises this fact from 
investors. When done right, securitization can enhance loan access and help banks to 
increase profitability while providing investors with diversification opportunities. 


ANSWER KEY FOR MODULE QUIZZES 


Module Quiz 4.1 


1.C Collateralized debt obligations transfer credit risk from banks to investors. This 
process enables banks to accelerate the loan origination cycle and therefore enjoy 


potentially higher profitability due to sourcing more loans than would otherwise 
be accessible. The pool of potential borrowers is increased because banks are less 
concerned with lending standards. However, when investors lose interest in CDO 
products due to higher-than-expected default rates, the loan originator (the bank) 
can be stuck with a large amount of credit risk on their balance sheet. (LO 4.a) 


2.B Marking-to-market, exposure netting, and loan syndication are all mechanisms 
that banks use to transfer credit risk. They also might use a termination clause. A 
call feature could be used to protect an issuer from interest rate risk, but not 
credit risk. (LO 4.b) 


3.A The financial crisis of 2007-2009 was made possible by weak regulation and 
government encouragement of loan to subprime borrowers. Banks responded by 
sourcing a high number of high-risk loans that ultimately fell apart when 
adjustable-rate loans reached their reset dates. Investors also speculated very 
heavily in the CDS and CDO markets. It was the misuse of credit derivatives, not 
merely their use, that led to the crisis. (LO 4.c) 


4.C The securitization process enhances loan access for low-quality borrowers. It also 
gives borrowers access to additional credit products at lower borrowing costs. 
Banks using an OTD model get higher fees for sourcing loans with higher interest 
rates. Investors get access to higher-yielding loan products as long as default 
rates are not an issue. The core of this process is to distribute credit risk to 
multiple market participants. The securitization process is not transparent. (LO 
4.d) 


The following is a review of the Foundations of Risk Management principles designed to address the learning 
objectives set forth by GARP®. Cross-reference to GARP FRM Part I Foundations of Risk Management, Chapter 5. 


READING 5 


MODERN PORTFOLIO THEORY AND 
THE CAPITAL ASSET PRICING MODEL 


Study Session 2 


EXAM FOCUS 


This reading introduces modern portfolio theory, the efficient frontier, and the capital 
market line. It then continues to discuss the security market line (SML), the calculation 
of beta, and the capital asset pricing model (CAPM). For the exam, it is important to 
have a firm grasp of the CAPM calculation. The reading concludes by reviewing some 
popular risk-adjusted measures of return, such as the Sharpe measure, the Treynor 
measure, Jensen’s alpha, the information ratio, and the Sortino ratio. In general, all of 
these performance measures evaluate excess return over some form of risk. It would be 
beneficial to memorize these measures of performance because they are popular 
concepts on the exam. 


MODULE 5.1: MODERN PORTFOLIO THEORY AND THE 
CAPITAL MARKET LINE 


Modern Portfolio Theory 


LO 5.a: Explain Modern Portfolio Theory and interpret the Markowitz efficient 
frontier. 


Due to abundance of market data, market risk has attracted significant interest from 
academics since the 1950s. As a result, numerous market risk models have since been 
developed. The criterion for a good market model is that it must have acceptable 
explanatory power without being unnecessarily complex. 


One of the most notable market risk researchers was Harry Markowitz. He laid the 
foundation for modern portfolio theory in the early 1950s. Markowitz’s portfolio 
theory makes the following assumptions: 


= Returns are normally distributed. This means that, when evaluating utility, investors 
only consider the mean and the variance of return distributions. They ignore 


deviations from normality, such as skewness or kurtosis (we will review those 
concepts in Book 2). 


= Investors are rational and risk-averse. Markowitz defines a rational investor as 
someone who seeks to maximize utility from investments. Furthermore, when 
presented with two investment opportunities at the same level of expected risk, 
rational investors always pick the investment opportunity which offers the highest 
expected return. 


= Capital markets are perfect. This implies that investors do not pay taxes or 
commissions. They have unrestricted access to all available information and perfect 
competition exists among the various market participants. 


Because investors are risk-averse, they strive to minimize the risk of their portfolios 
for a given level of target return. This could be achieved by investing in multiple assets 
which are not perfectly correlated with each other (i.e., where their correlation 
coefficients, p, are less than 1). 


While portfolio returns are calculated as weighted averages of individual asset returns, 
portfolio variances depend on the correlations among assets. A correlation of +1 offers 
no diversification benefits and results in portfolio variance being a weighted average of 
individual variances (solid black line DB-DS in Figure 5.1). When correlation is less 
than 1, diversification occurs and portfolio variance declines below the weighted 
average of individual variances. The lower the correlation, the greater the benefit 
becomes. With perfect negative correlation (p = -1), it is indeed possible to structure a 
portfolio with zero variance (i.e., a synthetic risk-free asset [y-intercept of blue curve in 
Figure 5.1]). We will further explore the mathematics of covariance and correlation in 
Book 2. 


Figure 5.1: Effects of Correlation on Portfolio Risk 


0.05 


O. 


0.05 O10 0,15 0), 2¢ 0.25 0,30 0.35 


By holding a sufficiently large, diversified portfolio, investors are able to reduce, or 
even eliminate, the amount of company-specific (i.e. idiosyncratic) risk inherent in 
each individual security. Examples of company-specific risks include accounting fraud, 
cyber attacks, loss of key personnel, or any other issue which affects a specific 
company, without affecting the rest of the market. By holding a well-diversified 
portfolio, the importance of events affecting individual stocks in the portfolio is 
diminished, and the portfolio becomes mostly exposed to general market risk. It 


follows this pattern because when investors can diversify at low- or no-cost, they must 
not expect to receive compensation for unnecessary exposure to company-specific risk 
given that it’s diversifiable. The compensation they receive must be exclusively 
determined by their exposure to market risk. 


The Efficient Frontier 


Rational investors maximize portfolio return per unit of risk. Plotting all those 
maximum returns for various risk levels produces the efficient frontier, which is 
represented by the blue curve passing through C-D-E-F-G, shown in Figure 5.2. 


Figure 5.2: Efficient Frontier 

E(R, 
0,16 
0.14 OG 
0.12 = Der ae 
0.10 i i a 
0.08 a ae 


ra i 
0.06) CEFA global minimum 


~ variance portfolio 


0.04 


0.02 


0.00 o 


0.00 0.02 0.04 0.06 0.08 0.10 0,12 0.14 0.16 0.18 


Point C is known as the global minimum variance portfolio because it is the efficient 
portfolio offering the smallest amount of total risk. Point C is, therefore, the leftmost 
point of the efficient frontier. Points A and B lie on the so-called portfolio possibilities 
curve, which is an extension of the efficient frontier below the global minimum 
variance portfolio, C. However, points A and B (or any other points below the efficient 
frontier) are considered inefficient because there is always a portfolio directly above 
them on the efficient frontier offering a higher return for the same amount of total risk. 
In general, any portfolio below the efficient frontier is, by definition, inefficient, 
whereas any portfolio above the efficient frontier is unattainable. In the absence of a 
risk-free asset, the only efficient portfolios are the portfolios on the efficient frontier. 
Investors choose their position on the efficient frontier depending on their relative risk 
aversion. A risk seeker may choose to hold Portfolio G whereas another investor 
seeking lower risk may choose to hold Portfolio D. 


The Capital Market Line (CML) 


LO 5.d: Interpret and compare the capital market line and the security market 
line. 


So far in our analysis, we have only considered risky portfolios. The next step is to 
introduce a risk-free asset. A common proxy used for the risk-free asset is the U.S. 
Treasury bill (T-bill). Investors will combine the risk-free asset with a specific efficient 
portfolio that will maximize their risk-adjusted rate of return. Thus, investors obtain a 


line tangent to the efficient frontier whose y-intercept is the risk-free rate of return (as 
shown in Figure 5.3). Assuming investors have identical expectations regarding 
expected returns, variances/standard deviations, and covariances/correlations (i.e. 
homogenous expectations), there will only be one tangency line, which is referred to as 
the capital market line (CML). 


Figure 5.3: Capital Market Line 


CMI 


™~ Market Portfolio, M 
Or 


Because it is assumed there is only one CML, it follows that there is only one tangency 
portfolio, which, by definition, becomes the market portfolio. We can think of the 
market portfolio as the portfolio containing all risky asset classes in the world. In 
practice, a stock market index is often used as a proxy for the market portfolio, such as 
the S&P 500. All investors hold some combination of the risk-free asset and the market 
(tangency) portfolio, depending on their desired amount of total risk and return. For 
example, a more risk-averse investor may invest some of his money in the risk-free 
asset with the remainder invested in the market (i.e., his investment may be located at 
point A in Figure 5.3). At any point to the left of M, investors are lending at the risk-free 
rate because some of their money is invested in Treasuries, whereas at points to the 
right of M, they are borrowing at the risk-free rate (i.e., using leverage to magnify their 
investment in the market portfolio). 


The equation of the CML is: 
E(Ry) R, 
E(Rp) = Rp + || op 
{ 


The slope of the CML is equal to the Sharpe measure, which we will examine later in 
this reading. 


PROFESSOR'S NOTE 
The security market line (SML) will be discussed in Module 5.2, LO 5.b. 


=) MODULE QUIZ 5.1 


1. At arecent analyst meeting at Invest Forum, analysts Michelle White and Ted 
Jones discussed the use of the capital market line (CML). White states that the 
CML assumes that investors hold two portfolios: (1) a risky portfolio of all assets 
weighted according to their relative market value capitalizations; and (2) the risk- 
free asset. Jones states that the CML is useful in determining the required rate of 
return for individual securities. Are White and Jones's statements correct? 


A. Only Jones's statement is correct. 
B. Only White's statement is correct. 
C. Both statements are correct. 
D. Neither statement is correct. 


MODULE 5.2: DERIVING AND APPLYING THE CAPITAL 
ASSET PRICING MODEL 


The Capital Asset Pricing Model (CAPM) 


LO 5.c: Describe the assumptions underlying the CAPM. 


The capital asset pricing model (CAPM) was developed by William Sharpe and John 
Lintner in the 1960s. It builds on the ideas of modern portfolio theory and the CML in 
that investors are assumed to hold some combination of the risk-free asset and the 
market portfolio. Its key assumptions are: 


= Information is freely available. 

= Frictionless markets. There are no taxes and commissions or transaction costs. 

= Fractional investments are possible. Assets are infinitely divisible, meaning investors 
can take a large position as well as very small positions. 

= Perfect competition. Individual investors cannot affect market prices through their 
buying and selling activity and are, therefore, viewed as price takers. 

= Investors make their decisions solely based on expected returns and variances. This 
implies that deviations from normality, such as skewness and kurtosis, are ignored 
from the decision-making process. 

= Market participants can borrow and lend unlimited amounts at the risk-free rate. 


= Homogenous expectations. Investors have the same forecasts of expected returns, 
variances, and covariances over a single period. 


Clearly, the CAPM makes a number of unrealistic assumptions. As with any other 
model, care must be taken when relying solely on the results from the CAPM. 


Estimating and Interpreting Systematic Risk 


LO 5.f: Interpret beta and calculate the beta of a single asset or portfolio. 


The expected returns of risky assets in the market portfolio are assumed to only 
depend on their relative contributions to the market risk of the portfolio. The 
systematic risk of each asset represents the sensitivity of asset returns to the market 
return and is referred to as the asset’s beta. Beta is computed as follows: 


, p m Cov x 
covariance of Asset i's return with the market return Covi M ' 
5 = è 2 -= > z Pi M x 

' variance of the market return on ' M 


In the next section, we will demonstrate that the market beta is, by definition, equal to 
1. Any security with a beta of 1 moves in a one-to-one relationship with the market. 
Consequently, any security with a beta greater than 1 moves by a greater amount (has 
more market risk) and is referred to as cyclical (e.g., luxury goods stock). Any security 
with a beta below 1 is referred to as defensive (e.g., a utility stock). Cyclical stocks 
perform better during expansions whereas defensive stocks fare better in recessions. 


EXAMPLE: Calculating an asset’s beta 


The standard deviation of the market return is estimated as 20%. 
1. If Asset A’s standard deviation is 30% and its correlation of returns with the 
market index is 0.8, what is Asset A’s beta? 
Using the formula: 3, = p; mų — we have: 3. = 0. soo = 1.2. 
MoM 0.20 
2. If the covariance of Asset A’s returns with the returns on the market index is 
0.048, what is the beta of Asset A? 


Cov; m 0.048 
Using the formula: 3, = , we have: 8, = —— = 1.2. 
ore 0.2? 


In practice, we estimate beta by regressing asset returns against market returns. While 
regression is a concept discussed in Book 2, for the purposes of this reading, you can 
think of it as a mathematical estimation procedure that fits a line to a data plot. In 
Figure 5.4, we represent the excess returns on Asset i as the dependent variable and the 
excess returns on the market index as the independent variable. The least squares 
regression line is the line that minimizes the sum of the squared differences of the 
points from the line (this is what is meant by the line of best fit). The slope of this line is 
our estimate of beta. 


Figure 5.4: Estimating Beta With Regression 


Asset 

f recess 
Return 
(R-R_) 


Market Excess Return (Rr R.) 


Deriving the CAPM 


LO 5.b: Understand the derivation and components of the CAPM. 


A straightforward CAPM derivation recognizes that expected return 
= only depends on beta (company-specific risk can be diversified away) and 
= isa linear function of beta. 


We therefore obtain the following equation, where expected return is explained as a 
linear function of beta with an intercept equal to a and slope equal to m: 


E(R,) =a+m*x Bp 


The graphical depiction of the above equation is known as the security market line 
(SML). 
Figure 5.5: The Security Market Line 


E R) 


At Marker Portfolio 


' 
i 
' 
i 
! 
‘ 


B 


In Figure 5.5, the intercept occurs when beta is equal to 0 (i.e., when there is no 
systematic risk). The only asset with zero market risk is the risk-free asset, which is 
completely uncorrelated with market movements and offers a guaranteed return. 
Therefore, the intercept of the SML is equal to the risk-free rate of return, Rp. 


To calculate the value of the slope we will need to know two points along the line. We 
already know the coordinates for the risk-free asset, which are (0, Rẹ). We also know 
the coordinates for the market portfolio, which must be (1, Ry) (i.e. the market 
portfolio has a return equal to the market return, by definition, and its systematic 

[beta] risk is equal to 1). The latter point can be easily demonstrated, remembering that 
the covariance of the returns of an asset with itself is equal to the variance (we will 
further explore the properties of covariance in Book 2): 


Cov MM TM 


= = — = |1 


BM > > 
oT oy 


M M 


We are now ready to calculate the slope of the SML as the rise over run of the line. This 
slope is known as the market risk premium (MRP) because it equals (Ry ~- Rp): 


Rẹ) 
B E — (R 


a m— Rp) = MRP 


Recall that expected return is a linear function of beta: 


E(R,) =a +m x fp 
Using substitution, we can now obtain the well-known CAPM equation: 

E(R,) = Rp + [ER — Rel, 
This implies that the expected return of an investment depends on the risk-free rate Rr, 
the MRP, [Ry - Rg], and the systematic risk of the investment, $. The expected return, 
E(R,), can be viewed as the minimum required return, or the hurdle rate, that investors 
demand from an investment, given its level of systematic risk. Estimating hurdle rates 
accurately is very important. If investors use an inflated hurdle rate, they may 
incorrectly forgo valuable investment opportunities. If, on the other hand, the rate used 
is too low, investors may purchase overvalued assets. 


LO 5.e: Apply the CAPM in calculating the expected return on an asset. 


EXAMPLE: Expected return on a stock 


Assume you are assigned the task of evaluating the stock of Sky-Air, Inc. To 
evaluate the stock, you calculate its required return using the CAPM. The following 
information is available: 


Expected market risk premium 5% 
Risk-free rate 4% 
Sky-Air beta 1.5 


Using CAPM, calculate and interpret the expected return for Sky-Air. 
Answer: 
The expected return for Sky-Air is: 

E(Rsa) = 0.04 + 1.5(0.05) = 0.115 = 11.5% 


E(R) 


E(Rga) = 0.115 +- 


E(Ra) = 0.09 +- 


Ry = 0.04 


In this case, the hurdle rate is 11.5% (i.e. this is the minimum required return given 
the market risk of Sky-Air). If investors predict that the return will exceed 11.5%, 
then they should buy Sky-Air stock (stock is undervalued). However, if investors 
predict that the expected return will be less than 11.5%, then they should either 
shy away from Sky-Air stock or short the stock, if allowed to do so, because the 
stock is overvalued. 


In the previous example, we calculated the required rate of return, which always lies on 

the SML. If an analyst determines that the expected return is different from the required 

rate of return implied by CAPM, then the security may be mispriced according to 

rational expectations. A mispriced security would not lie on the SML. In general: 

= An overvalued security would have a required rate of return (computed by CAPM) 
that is higher than its expected return (computed by the analyst’s valuation). An 
overvalued security would plot below the SML. 


= An undervalued security would have a required rate of return (computed by CAPM) 
that is lower than its expected return (computed by the analyst’s valuation). An 
undervalued security would plot above the SML. 

Si MODULE QUIZ 5.2 


Use the following graph to answer Question 1. 


E(R,) 


. 5% 10% 15% 20% 25% 


1. In the above mean-variance analysis, a risk analyst has combined the risk-free asset 
(T-bills) with Portfolio P. Portfolio P is least likely to: 
A. be efficient. 
B. have beta of 1. 
C. be the global minimum variance portfolio. 
D. represent a 100% investment in the market portfolio. 


2. Which of the following statements is most likely an assumption of the capital asset 
pricing model (CAPM)? 
A. Investors only face capital gains taxes. 
B. Investors’ actions affect the prices of assets. 
C. Transaction costs are constant across all assets. 
D. Market participants can lend and borrow unlimited amounts at the risk-free rate. 


3. Patricia Franklin makes buy and sell stock recommendations using the capital asset 
pricing model (CAPM). Franklin has derived the following information for the broad 
market and for the stock of the CostSave Company (CS): 


Expected market risk premium 8% 
Risk-free rate 5% 
Historical beta for CS 1.50 
Franklin believes that historical betas do not provide good forecasts of future beta, 
so therefore uses the following formula to forecast beta: 
forecasted beta = 0.80 + 0.20 x historical beta 
After conducting a thorough examination of market trends and the CS financial 
statements, Franklin predicts that the CS return will equal 10%. Franklin should 


derive which of the following CS required returns for CS and valuation decisions 
(undervalued or overvalued)? 


Valuation CAPM required return 
A. Overvalued 8.3% 
B. Overvalued 13.8% 
C. Undervalue 8.3% 
D. Undervalued 13.8% 


4. Albert Dreiden wants to estimate the expected return on the market. He believes 
that the stock of the Hobart Materials Company is fairly valued, and gathers the 
following information: 

Expected return for Hobart 7.50% 
Risk-free rate 4.50% 
Beta for Hobart 0.80 


Based on this information, the estimated expected return for the market portfolio is 
closest to: 


A. 3.00%. 
B. 3.75%. 
C. 6.90%. 
D. 8.25%. 


MODULE 5.3: PERFORMANCE EVALUATION MEASURES 


LO 5.g: Calculate, compare, and interpret the following performance measures: 
the Sharpe performance index, the Treynor performance index, the Jensen 
performance index, the tracking error, information ratio, and Sortino ratio. 


It is important for portfolio managers to not only focus on raw returns but to also 
analyze the risk taken to generate those returns. In other words, portfolio managers 
must analyze risk-adjusted rates of return to evaluate the true performance of their 
portfolios given the amount of risk taken. We begin by analyzing three traditional 
performance measures: 


= Sharpe performance index (SPI) 

= Treynor performance index (TPI) 

= Jensen’s performance index (JPI) 

In all three cases, for a given portfolio, the higher measure, the better the risk-adjusted 


return. Note that Sharpe and Treynor are very similar in that they both normalize the 
risk premium by dividing by a measure of risk. 


Sharpe Performance Index 


The Sharpe measure computes excess return (portfolio return in excess of the risk-free 
rate) per unit of total risk (as measured by standard deviation). Investors can apply the 
Sharpe measure to all portfolios because it uses total risk, and it is more widely used 
than the other two measures. 


E(R,) —R, 
SPI = |———— 
op 


As previously mentioned, the slope of the CML is the Sharpe measure of the market. A 
portfolio with a Sharpe measure greater than the Sharpe measure of the market offers 
better risk-adjusted returns compared to the market. This inevitably assumes that 
markets are not always efficient, allowing managers to sometimes beat the market. 


Treynor Performance Index 


The Treynor measure is similar to the Sharpe measure in that both use the same 
numerator, the portfolio excess return. However, they differ in their calculation of the 
denominator. While the Sharpe measure uses total risk as measured by standard 
deviation, the Treynor measure uses systematic risk as measured by beta. 


E(R,) —R, 
TPI = |——— 


Jo 


As previously mentioned, well-diversified portfolios are only exposed to market risk, 
having diversified away idiosyncratic risk. Beta and TPI should therefore be more 
relevant metrics for well-diversified portfolios. On the other hand, poorly-diversified 
portfolios (i.e. portfolios containing few assets) will likely have an unnecessarily high 
standard deviation due to the presence of excessive company-specific risk. 


Recall that the mathematical description of the SML is the CAPM, whose slope is the 
MRP: 


E(R,) = Rp + [ER y) — Ryl3, 


The slope of the SML can also be viewed as the Treynor measure of the market, or the 


MRP: 

E(Rm)— Rp E(Ryy) —R, 

Tiy = |—, |= |__| = 
FM 


A 
ba 


Jensen's Performance Index 

Jensen’s performance index, like Treynor, assumes investors are well-diversified and, 
therefore, uses beta rather than standard deviation as the relevant risk metric. 
Essentially, it compares the portfolio expected return to the CAPM required return. The 
difference between the two may be referred to as Jensen’s alpha (ap). 


JPI = a, = E(R,) — {Rp + [E(R,,) — Rpl8p} 


In equilibrium (the absence of mispricing), the portfolio expected return must equal the 
CAPM required return resulting in zero alpha. If Jensen's alpha is positive, this implies 
that the portfolio is undervalued and investors would be wise to buy or hold it. Jensen’s 
alpha is most suitable for comparing portfolios that have the same level of systematic 
risk. 


The Treynor measure and Jensen’s alpha go hand in hand, in that superior performance 
implied by the Treynor measure automatically implies superior performance according 
to Jensen’s alpha. However, relative rankings of portfolios may differ according to the 
two measures. 


EXAMPLE: Calculating performance measures 


For a portfolio of 10 stocks, assume that the portfolio’s expected return is 14% 
with a standard deviation of 25%. The beta of the portfolio is 1.1. The expected 
return of the market is 12.5% with a standard deviation of 20.2%. The risk-free rate 
is 2.6%. Calculate Sharpe, Treynor, and Jensen’s alpha for the portfolio of stocks. 
Compare the above measures to each measure for the market. 


Answer: 
E(Rp) — Rp 0.14 — 0.026 
SPI, = EASE = — = 0.456 
Op 0.25 
E(R,) — Rọ 0.14 — 0.026 
TPI, = |—_——__| = |__| = 0.1036 
F 3 1.1 
a ; 


JPIp = ap = 0.14 — [0.026 + (0.125 — 0.026)(1.1)] = 0.0051 


We can now compare the above measures to Sharpe, Treynor, and Jensen’s alpha of 
the market: 


E(Ry,) — Ry 0.125 — 0.026 
SS AP aE cat 
M ; 0.202 


0.49 


E(Ry) — Rp 0.125 — 0.026 
TPI,, = |_| = | = 0.099 


JPI *p = 0.125 — [0.026 + (0.125 — 0.026)(1.0)} = 0.00 


M 


An alternative approach to evaluating portfolios is to calculate excess return relative to 
a target return or a benchmark portfolio return. In the following section, we will 
review three such measures: 


= Tracking error 
= Information ratio 


a Sortino ratio 


Tracking Error 


If a manager is trying to earn a return higher than the market portfolio or any other 

reference or benchmark, the difference will have some variability over time. In other 

words, even if the manager is successful in generating a positive alpha, the alpha will 

vary over time. Tracking error is the term used to describe the standard deviation of 

the difference between the portfolio return and the benchmark return. This source of 

variability is another source of risk to use in assessing the manager’s success. 
tracking error = \ 

n— | 

PROFESSOR'S NOTE 

“If you are asked to calculate tracking error on the exam, it would most likely 
amount to no more than obtaining the standard deviation using the relevant 
function on your calculator. We will review this computation in detail in Book 
2. Also, note that even though the earlier definition of tracking error is 
typically how it’s defined, some practitioners refer to tracking error simply as 
the difference between portfolio returns and benchmark returns: Rp - Rg. 


Information Ratio 


The information ratio (IR) divides the portfolio expected return in excess of the 
benchmark expected return by the tracking error: 


E(Rp — Rg) 7 active return 


tracking error active risk 


LT PROFESSOR'S NOTE 
“ Some practitioners refer to the numerator as active return and the 
denominator as active risk. The definition of tracking error (active risk) for 
the denominator of the IR is the same as the first definition provided earlier 
—the standard deviation of the difference between the portfolio return and 
the benchmark return. 


Sortino Ratio 


The Sortino ratio is reminiscent of the Sharpe measure except for two changes. First, 
we replace the risk-free rate with a minimum acceptable return, denoted Ry. This 


return could be determined by the needs of the investor or it can sometimes be set 
equal to the risk-free rate. Second, we replace standard deviation with downside 
deviation: 


— Rp — Rug 
Sortino ma. n 
downside deviation 


Downside deviation is a type of semi-standard deviation. It measures the variability of 
only those returns that fall below the minimum acceptable return. Returns higher than 


Ryn are ignored from the calculation of downside deviation as they are not considered 
risky as far as the desired returns of our investor are concerned. 


> PROFESSOR'S NOTE 

ê It is unlikely that you will be asked to calculate downside deviation, so focus 
on being able to compute the Sortino ratio given Rp, Ryn. and downside 
deviation. 


EXAMPLE: Calculating the information ratio and the Sortino ratio 


An active portfolio manager is trying to beat the FTSE 100. The expected returns of 
the active portfolio and the FTSE 100 are 15% and 12%, respectively, while the 
tracking error is 9%. The minimum acceptable return is 4% and the downside 
deviation is 7%. Compute the information ratio and the Sortino ratio. 


Answer: 
E(Rp—Rg) 0.15-0.12 
IR = - = = 0.33 
tracking error 0.09 
l Rp — Ruin 0.15 — 0.04 
Sortino = = = 1.57 
downside deviation 0.07 


=) MODULE QUIZ 5.3 


=> 1 Fora given portfolio, having a Treynor measure greater than the market but a 
Sharpe measure that is less than the market would most likely indicate the portfolio 
is: 

A. not well-diversified. 

B. generating a negative alpha. 

C. borrowing at the risk-free rate. 

D. not borrowing at the risk-free rate. 


2. With respect to performance measures, the use of the standard deviation of 
portfolio returns is a distinguishing feature of the: 
A. beta measure. 
B. Jensen's alpha. 
C. Sharpe measure. 
D. Treynor measure. 


3. For a given portfolio, the expected return is 9% with a standard deviation of 16%. 
The beta of the portfolio is 0.8. The expected return of the market is 12% with a 
standard deviation of 20%. The risk-free rate is 3%. The portfolio's alpha is: 

A. -1.2%. 
B. -0.6%. 
C. +0.6%. 
D. +1.2%. 


4. Advanced Quantitative Models global equity fund has averaged a return of 12.5% per 
year over the last 10 years. The benchmark average return over the same period was 
11% per year. The risk-free rate of return during the same period averaged 3.5%. 
The standard deviation of the fund's return is 16.15%, and the tracking error is 
10.5%. What is the information ratio (IR) for the fund? 


A. 0.14. 


B. 0.95. 
C. 1.05. 
D. 1.19. 

5. Given the following information: 
Risk-free rate 4% 
Minimum acceptable return 6% 
Benchmark return 10% 
Expected return on portfolio 12% 
Expected return on market 9% 
Beta 1.25 


Standard deviation (portfolio) 7.3% 
Downside deviation (portfolio) 8.2% 
What is the Sortino ratio of the portfolio? 
A. 0.24. 

B. 0.73. 

C. 0.82. 

D. 0.98. 


KEY CONCEPTS 


LO 5.a 


Rational investors seek to maximize return per unit of risk and, therefore, absent a risk- 
free asset, they will hold a portfolio on the efficient frontier. To reduce total risk, 
investors diversify across multiple investments. A sufficiently large portfolio will have 
eliminated company-specific (idiosyncratic) risk and will only be exposed to market 
risk. 


LO 5.b 
To derive the capital asset pricing model (CAPM), we must recognize that 


= expected return only depends on beta because company-specific risk can be 
diversified away, and 


= expected return is a linear function of beta. 


The capital asset pricing model (CAPM) equation is: 
E(R;) = Rp + [E(Ryy) — Rel, 
The beta of the market is equal to 1, and the slope of the security market line (SML) is 
equal to the market risk premium (MRP). The SML is the graphical depiction of the 
CAPM. 
LO 5.c 
The capital asset pricing model (CAPM) makes the following assumptions: 
a Information is freely available. 


a There are no taxes and commissions. 


= Fractional investments are possible. 


= Market participants can borrow and lend at the risk-free rate. 


Individual investors cannot affect market prices. 


= Investors have the same forecasts of expected returns, variances, and covariances. 


LO 5.d 


The capital market line (CML) linearly combines the risk-free asset with the tangency 
portfolio of the efficient frontier. Given the assumption of homogenous expectations, 
the tangency portfolio becomes the market portfolio. All investors are assumed to hold 
some combination of the risk-free asset and the market portfolio. The equation of the 
CML is: 


o 


E(R,y,) — Rẹ 
Op 
M 


E(Rp) = Rp + | 


The slope of the CML is the Sharpe performance index. 


LO 5.e 


The expected return for an asset can be computed using the following formula, given 
the risk-free rate, the market risk premium (MRP), and an asset’s beta: 


E(R,) = Ry + [ER Rp], 


The MRP is the return of the market in excess of the risk-free rate. 


LO 5.f 


Beta can be estimated as the slope from a linear regression of stock returns against 
market returns. It is the sensitivity of stock returns to market movements. The 
following formulas can be used to calculate beta: 


covariance of Asset i's return with the market return COV; m o 


t 
es Á— a a aM ee eee 
variance of the market return ou M 

i 


LO 5.g 


Risk-adjusted performance measures include: the Sharpe performance index (SPI), the 
Treynor performance index (TPI), and Jensen’s alpha. Both Treynor and Jensen’s alpha 
are based on beta, whereas Sharpe is based on standard deviation: 


E(R,) Ry 
SPI = ar 
i 


+ = 
TPI = |[— 
Bp 


JPI = ap = E(Rp) — {Rp + [E(Ryy) — Rplêp} 


Three relative performance metrics include: tracking error, the information ratio (IR), 
and the Sortino ratio: 


em wow 
Rp = Ra)“ 


tracking error = \ 


n— 1 
E(Rp 7 Ra) active return 
IR = — = — 
tracking error active risk 
Rp — Ryn 
Sortino = 


downside deviation 


ANSWER KEY FOR MODULE QUIZZES 


Module Quiz 5.1 


1.B The capital market line (CML) assumes all investors have identical expectations 
and all use mean-variance analysis, implying that they all identify the same risky 
tangency portfolio (the market portfolio) and combine that risky portfolio with 
the risk-free asset when creating their portfolios. Because all investors hold the 
same risky portfolio, the weight on each asset must be equal to the proportion of 
its market value to the market value of the entire portfolio. Therefore, White is 
correct. The CML is useful for determining the rate of return for efficient 
portfolios, but it cannot be used to determine the required rate of return for 
inefficient portfolios or individual securities. The capital asset pricing model 
(CAPM) is used to determine the required rate of return for inefficient portfolios 
and individual securities. Therefore, Jones is incorrect. (LO 5.d) 


Module Quiz 5.2 

1.C The line connecting the risk-free rate with the tangency (market) portfolio is the 
CML. The market portfolio has a beta of 1, by definition, and lies on the efficient 
frontier. The global minimum variance portfolio lies on the efficient frontier, but 
not on the CML. (LO 5.b) 


2.D The CAPM assumes unlimited borrowing and lending at the risk-free rate. 
Additionally, CAPM assumes no taxes, no transaction costs, and that investor 
actions do not affect market prices. (LO 5.c) 


3.B The CAPM equation is 

E(R;) = Rp + BJE(R,, — Rp)] 

Franklin forecasts the beta for CostSave as follows: 
beta forecast = 0.80 + 0.20 (historical beta) 
beta forecast = 0.80 + 0.20(1.50) = 1.1 

The CAPM required return for CostSave is then: 
0.05 + 1.1(0.08) = 13.8% 

Note that the market premium, E(Ry) - Rg, is provided in the question (8%). 


Franklin should decide that the stock is overvalued because she forecasts that the CostSave 
return will equal only 10%, whereas the required return (minimum acceptable return) is 13.8%. 
(LO 5.e) 


4.D The capital asset pricing model (CAPM) equation is: 
ER) =Rp + SERy — Rp] 


Using the given information, we can solve for the expected return for the market portfolio as 
follows: 

7.50% = 4.50% + 0.80[E(R,,) — 4.50%] 

ER = (7.50% — 4.50%) / 0.80] + 4.50% = 8.25% 
Based on the information given and using the CAPM, the expected return on the market is 8.25%. 
(LO 5.e) 


Module Quiz 5.3 

1.A Low diversification can produce a Treynor measure greater than the Sharpe 
measure because it will likely increase the standard deviation of the portfolio’s 
returns, thus decreasing the Sharpe measure. Using margin is not directly related 
to the risk-adjusted performance, because adjusting for risk removes the effect of 
leverage. A Treynor measure greater than the market Treynor would result ina 
positive alpha (not a negative alpha). (LO 5.g) 


2.C The Sharpe measure is the portfolio return minus the risk-free rate divided by the 
standard deviation of the return. The Treynor and Jensen measures use beta as the 
measure of risk. The answer beta measure is a nonsensical choice for this 
question. (LO 5.g) 


3.A The alpha is 9% - [3% + 0.8 x (12% - 3%)] = -1.2%. (LO 5.g) 
4.A IR=(12.5-11) / 10.5 = 0.14 (LO 5.g) 


5. B Sortino ratio = (portfolio return — minimum acceptable 
return) / downside deviation 


= (0.12 — 0.06) / 0.082 = 0.7317 


(LO 5.g) 


The following is a review of the Foundations of Risk Management principles designed to address the learning 
objectives set forth by GARP®. Cross-reference to GARP FRM Part I Foundations of Risk Management, Chapter 6. 


READING 6 


THE ARBITRAGE PRICING THEORY 
AND MULTIFACTOR MODELS OF RISK 
AND RETURN 


Study Session 2 


EXAM FOCUS 


The relationship between risk and return is one of the most important concepts in 
finance. The capital asset pricing model (CAPM) asserts that the expected return on any 
asset is solely determined by its exposure to the market portfolio. Recall from the 
previous reading that the risk exposure in the CAPM is known as beta. In contrast, 
arbitrage pricing theory (APT) asserts that expected returns are determined by 
exposures to multiple factors that are linked to the macroeconomy. The risk exposures 
in APT are known as factor betas. For the exam, be able to calculate expected returns 
using single-factor and multifactor models. Also, understand the Fama and French 
three-factor version of a multifactor model. In addition, be able to describe how to use 
a multifactor approach to construct a hedged portfolio. 


MODULE 6.1: MULTIFACTOR MODEL ASSUMPTIONS 
AND INPUTS 


Arbitrage Pricing Theory 


LO 6.a: Explain the Arbitrage Pricing Theory (APT), describe its assumptions, 
and compare the APT to the CAPM. 


Investors have historically thought about the expected return for an investment 
through the filter of the capital asset pricing model (CAPM). This model captures a 
linear relationship between a financial asset and a single index (e.g., S&P 500 Index). 
Using CAPM, risk is modeled through the beta (or factor exposure) to this single index. 
In 1976, economics professor Steven Ross proposed an alternative risk modeling tool 
called arbitrage pricing theory (APT).! This newer approach is a type of multifactor 
model that measures the linear relationship between a financial asset and multiple risk 


factors, which includes one or more financial indices (e.g, S&P 500 Index, bond index, 
or commodity index) and multiple macroeconomic variables (e.g., GDP, interest rate 
metrics, production measures, employment variables). 


In a classic sense, the term arbitrage refers to the simultaneous buying and selling of 
two securities to capture a perceived abnormal price difference between the two assets. 
In the context of APT, this term simply refers to a model that measures expected return 
relative to multiple risk factors. In fact, APT assumes that there are no available 
arbitrage opportunities, and that if one does exist, it will very quickly evaporate due to 
the trading actions of market participants. 


According to arbitrage pricing theory, the expected return for security i can be modeled 
as shown here. The idea is to model systematic risk on a more granular level using a 
series of risk factors. 


R; = E(R) + BF, + 8,F, +... + BF, + G; 


where: 

R; =actual return on stock / 

E(R,) = expected return on stock í 

3, = beta (factor sensitivity) for factor | 

F, = first ina series of risk factors that could add return deviation from the 
expected return 

3, = beta (factor sensitivity) for factor k 

F, = last ina series of risk factors that could add return deviation from the 


expected return 
= random error term that accounts for company-specific (idiosyncratic) 
risk 


nm 


Every mathematical model is based on a series of assumptions. Arbitrage pricing 

theory has very simplistic assumptions, including the following: 

1. Market participants are seeking to maximize their profits. 

2. Markets are frictionless (i.e. no barriers due to transaction costs, taxes, or lack of 
access to short selling). 

3. There are no arbitrage opportunities, and if any are uncovered, then they will be 
very quickly exploited by profit-maximizing investors. 


One element, which is both good and bad, is that APT does not specify the multiple 
factors to include in the analysis. This provides analysts with tremendous flexibility. 
However, if an investor is looking for a clear-cut and direct calculation, then APT might 
not be the best fit. Factors need to be checked on a periodic basis and factor 
sensitivities (betas) need to also be updated on a regular basis because financial 
markets are dynamic. Ultimately, there is no one-size-fits-all approach for determining 
the macroeconomic factors used in an APT model, but Chen, Roll, and Ross propose the 


following four factors as one way to structure an APT model: 

= The spread between short-term and long-term interest rates (i.e., the yield curve) 
= Expected versus unexpected inflation 

= Industrial production 

= The spread between low-risk and high-risk corporate bond yields 


The core of the APT model is to find a combination of granular risk factors, such as 
those presented, that more closely predict the return of a financial asset. In this model, 
arbitrage is not an expected opportunity because the model is adjusted to account for 
macroeconomic variables that might explain the current pricing for a given stock. This 
does not mean that the actual stock returns will not deviate from APT pricing (it very 
well may). This is the influence of company-specific risk factors. An analyst would be 
wise to buy a security whose market price drifts lower than APT would suggest (due to 
unexpected factors) and to potentially short a stock whose price is too much higher 
than APT’s calculated return. This logic introduces model risk and also the need to 
periodically update model coefficients to ensure robustness. 


Multifactor Model Inputs 


LO 6.b: Describe the inputs, including factor betas, to a multifactor model and 
explain the challenges of using multifactor models in hedging. 


The inputs into a multifactor model can be best understood by considering its equation, 
which can be seen as follows for stock i: 


R; = E(R;) + 3, F, + 3,F, + ... RFF ¢; 


The first input is the expected return for the stock in question. This type of multifactor 
model will then offer a series of adjustments that attempt to capture known variables 
that would influence the returns of a stock (or portfolio). A beta (factor sensitivity) is 
needed for each variable included in the model, and a value is needed for each factor as 
well. The error term (e;) represents firm-specific return that is otherwise unexplained 
by the model. This idiosyncratic risk could come from factors that are correlated with 
the stock’s return but are excluded from the analysis. It could come from randomness 
and potentially from irrational market behavior. It could also result from unexpected 
firm-specific events such as labor strikes, natural disasters, or tariff uncertainty. 
Because firm-specific events are random, the expected (i.e., default) value for the error 
term is zero. 


A multifactor model could include any number of variables that an analyst desires to 
consider. They could be macroeconomic variables, or they could be firm attributes (e.g., 
P/E multiples, revenue trends, historical returns). Consider an example where an 
analyst tests a stock’s sensitivity to deviations from consensus expectations in 
quarterly GDP releases. The factor for GDP could be expressed as Fepp and the beta 
(also known as the factor loading or the factor sensitivity) for GDP might be 2.0. If 
consensus GDP is 3.2%, but the actual value comes in as 2.2%, then the deviation is 
-0.01 (i.e. -1%). With a GDP beta (Bepp) of 2.0, then we would expect the stock to 


decline by 2% (double the factor’s movement due to the beta of 2.0). 


LT PROFESSOR'S NOTE 
ê Challenges of hedging exposures when using multifactor models will be 
explained in Module 6.2, LO 6.d. 


=) MODULE QUIZ 6.1 
= 1. Which of the following statements is correct regarding arbitrage pricing theory 
(APT)? 
A. APT uses a pre-established series of variables to calculate expected returns. 
B. APT provides more flexibility than traditional CAPM-based models. 
C. APT relies on a stricter series of assumptions than the CAPM. 
D. APT is constrained to a five-factor model. 


2. Which of the following statements regarding the inputs involved with a multifactor 
model is correct? 


A. The factors included in a multifactor model are very rigid. 

B. Factor betas describe how much the relationship is amplified between the stock 
under analysis and the respective factor. 

C. Analysts must include only economic variables as the factors in a multifactor 
model. 

D. Factor betas must be positive values. 


MODULE 6.2: APPLYING MULTIFACTOR MODELS 


Calculating Expected Returns 


LO 6.c: Calculate the expected return of an asset using a single-factor and a 
multifactor model. 


The number of factors to include in a model should be as small as possible, yet still 
capture the priced sources of systematic (nondiversifiable) risk. The simplest versions 
consist of just one macro factor (a single-factor model). Consider the differences 
between a single-factor and a multifactor model using a two-step example. 


First, let’s examine a single-factor option for the common stock of HealthCare Inc. 
(HCI). Actual returns are measured using a single-factor model that captures the impact 
of GDP surprises (unexpected percentage changes denoted by GDP*). The formula for 
this relationship follows: 


Ruci = ERyucn + BanprFapr + Cua 


The following data expands this single-factor example: 
= The expected return for HCI is 10%. 

= The factor beta for GDP surprises is 2.0. 

= The expected GDP growth rate is 3.2%. 


Considering the factor beta, we can deduce that the expected returns for HCI are 
strongly influenced by GDP surprises. This beta suggests a 200% sensitivity. Therefore, 
the stock price is estimated to change by 2% if the GDP surprise is 1%. 


What would this single-factor model prediction be if GDP were actually 2.6% and not 
the original consensus forecast of 3.2%? The GDP surprise factor is -0.60% (= 2.6% - 
3.2%). The formula would suggest that HCI’s stock return should be 8.8%: 


Rya = E(Ryq) + 8epp+F epee + Cuci 
R 


cy = 0-10 + 2.0(—0.006) + cyc = 0.088 = 8.8% 


Perhaps HCI’s actual return was 8.25%. Any deviation from the 8.8% value represents 
either company-specific risk or systematic risk exposure that is not captured by the 
single-factor model. A multifactor model enables analysts to include the systematic 
risk exposure of multiple factors. Maybe surprises in consumer sentiment (CS*) is also a 
big influencer for HCI’s returns. Consider the following multifactor model: 


— fF 4+ f P LA P) 7 
Rua = E(Ryq) + Sepp+F Epps + 8cseF es + Cyc 


The information below is added to the single-factor model data: 
« The factor beta for CS surprises is 1.5. 


= The expected CS growth rate is 1.0%. 


If an updated measure of CS presents a growth rate of 0.75%, then the CS surprise factor 
is -0.25% (= 0.75% - 1.0%) and HCI’s stock price should be 8.43%: 


J 7 +8 3 +e 
aprFanpp. + BegeF ese + Cucr 


Rya = ERyq) +8 
R = 0.10 + 2.0(—0.006) + 1.5(—0.0025) = 0.0843 = 8.43% 


HCI Suc! 
The multifactor model predicts a value of 8.43%, which is much closer to the actual 
result of 8.25%. This multifactor model is capturing more of the systematic influences. 
An analyst would likely keep exploring to find a third or fourth factor that would get 
them even closer to the actual result. Once the proper risk factors have been included, 


the analyst will be left with company-specific risk (e,) that can be diversified away. 


5S PROFESSOR'S NOTE 
Both the factors and the beta exposures will need to be updated and verified 
on a periodic basis because these elements change dynamically. 


Accounting for Correlation 


Arbitrage pricing theory is an application of a multifactor model that serves as an 
alternative to CAPM. This theory relies on the use of a well-diversified portfolio. A 
portfolio is well diversified if financial assets are mixed with other assets that have 
sufficient correlation differences to expel much of the company-specific risk (i.e. 
nonsystematic risk, idiosyncratic risk). A well-diversified portfolio will then be left 
with market-linked risk (i.e., systematic risk), which is measured by a beta coefficient. 


We understand that diversification is enhanced when correlations between portfolio 
assets is low. Logic points to higher correlations when constituent assets in a portfolio 
come from the same asset class and lower correlations when member assets are drawn 
from different asset classes (e.g, commodities, real estate, industrial firms, utilities). 
The presence of multiple asset classes will result in a divergent list of factors that 
might impact the expected returns for a stock. Multifactor models are ideal for this 
form of analysis. 


The main conclusion of APT is that expected returns on well-diversified portfolios are 
proportional to their factor betas. However, we cannot conclude that the APT 


relationship will hold for all securities. For example, if the APT relationship is violated 
for one security in the portfolio, then its effect will be too small to produce meaningful 
arbitrage opportunities for the portfolio. Therefore, we can conclude that the APT 
relation can hold for well-diversified portfolios even if it does not hold for all securities 
in the portfolio. But, the APT relationship must hold for nearly all securities in a well- 
diversified portfolio, or else arbitrage opportunities will become available for the 
portfolio. Therefore, we can conclude that the APT relationship must hold for nearly all 
securities. 


Hedging Exposure to Multiple Factors 


LO 6.d: Explain how to construct a portfolio to hedge exposure to multiple 
factors. 


The granular exposures captured by multifactor models enable a unique hedging 
opportunity. Using calculated factor sensitivities, an investor can build factor 
portfolios, which retain some exposures and intentionally mitigate others through 
targeted portfolio allocations. Consider the following example with a series of three 
well-diversified portfolio as: 


Portfolio Portfolio Portfolio 


l 2 3 
GDP surprise factor sensitivity (Bgpp») 0.50 0.50 
Consumer sentiment surprise factor sensitivity n 
umer sentiment surprise factor sensitivity 0.30 0.30 
(Bess) 
Unemployment surprise factor (Bjopss) 0.25 
1.25 


Manufacturing sector surprise factor (Bigy) 


Suppose that an investor wishes to mitigate all exposure to GDP surprise risk. That 
investor could find a financial asset (or portfolio) that is correlated with GDP surprise 
and has an equal factor sensitivity of 0.50. In this example, an investor could take a long 
position in Portfolio 1 anda short position in Portfolio 2. Doing so would result ina 
zero beta for GDP surprise, but it would retain a 0.30 beta for consumer sentiment 
surprise and add a -0.25 beta (because the position is held short) to unemployment 
surprise. It is possible to find a financial asset that only has an equal factor exposure to 
the single variable of GDP surprise. In such a circumstance, the investor could 
neutralize the GDP surprise exposure and not add any other new exposures. 


An investor could also decide to be long Portfolio 1 and short Portfolio 3, which would 
neutralize the consumer sentiment exposure while retaining GDP surprise and adding 
manufacturing surprise. A third option would be to find derivatives that could hedge 
the 0.50 beta exposure to GDP surprise and the 0.30 beta exposure to consumer 
sentiment surprise. In this instance, an investor could form a hedged portfolio 
(Portfolio H) which has a 50% position in a derivative with exposure to only GDP 
surprise, a 30% position in a derivative with exposure to only consumer sentiment 
surprise, and the remaining 20% in the risk-free asset. An investor could take a long 


position in Portfolio 1 anda short position in Portfolio H. This action would effectively 
mitigate all exposure to both GDP surprise and consumer sentiment surprise. 


An investor might engage in this fully hedged process to exploit a perceived arbitrage 
opportunity. Perhaps Portfolio 1 has an expected return of 12% and the hedged 
portfolio has an expected return of 10%. Taking equal long and short positions in these 
two portfolios will result in a potential 2% arbitrage profit [12% (long) - 10% (short)]. 
Alternatively, if the hedged portfolio instead had a 14% expected return, then the 
investor could take a long position in Portfolio H and a short position in Portfolio 1. 
This action would accomplish the same goal of neutralizing factor sensitivities while 
isolating the perceived 2% arbitrage opportunity. 


One challenge of hedging exposures when using multifactor models is the potential for 
error. Because this hedging process is based on the calculated model, there will always 
be an element of model risk. For example, what if the factor sensitivities have changed 
or what if different factors are better descriptors for a portfolio? Another challenge 
arises if the hedging strategy is either rebalanced too infrequently or too often. Trading 
costs from frequent rebalancing could erode profits, and infrequent rebalancing could 
risk undesired exposures as relationships dynamically change in the markets (i.e. 
increase tracking error). A third challenge results from assuming the underlying asset 
distribution is stationarity over time. For example, what if the necessary model 
assumptions do not hold during periods of market distress (e.g,, the financial crisis of 
2007-2009)? 


The Fama-French Three-Factor Model 


LO 6.e: Describe and apply the Fama-French three-factor model in estimating 
asset returns. 


Recall that CAPM is a single-factor model to calculate the expected return of a 
portfolio. The formula for CAPM is as follows: 


E(R)) = Rp + 8 yRPyy +G 


where: 

E(R;) = expected return on stock i 

Ry = risk-free rate 

BiM = beta (factor sensitivity) between stock j and the market 
RP,, = risk premium for the market 

€j = a random error term which accounts for company-specific 


(idiosyncratic) risk 


As mentioned, because well-diversified portfolios include assets from multiple asset 
classes, multiple risk factors will influence the systematic risk exposure of the 
portfolio. Therefore, multifactor APT can be rewritten as follows: 

E(R,)=R,+8,RP, +8,RP, + BRP, + ¢, 

where: 


3, = beta (factor sensitivity) between stock / and factor exposure i 


RP,= risk premium associated with risk factor / 


As mentioned previously, a major weakness of APT is that it provides no guidance on 
which other factors to include in a multifactor model. In 1996, economists Eugene 
Fama and Kenneth French famously specified a multifactor model with three factors: 
(1) a risk premium for the market, (2) a factor exposure for “small minus big,” and (3) a 
factor exposure for “high minus low”? Small minus big (SMB) is the difference in returns 
between small firms and large firms. This factor adjusts for the size of the firm because 
smaller firms often have higher returns than larger firms. High minus low (HML) is the 
difference between the return on stocks with high book-to-market metrics and ones 
with low book-to-market values. A high book-to-market value means that the firm has 
a low price-to-book metric (book-to-market and price-to-book are inverses). This last 
factor basically means that firms with lower starting valuations are expected to 
potentially outperform those with higher starting valuations. 


LT PROFESSOR'S NOTE 
ê Notice that SMB is a hedge strategy, which is long small firms and short big 
firms. Likewise, HML is also a hedge strategy that is long high book-to-market 
firms and short low book-to-market firms. 


The Fama-French three-factor model is as follows: 
E(R)) = Rp + Be yRPy + F F 


B smpF'smp + Binm Fem + & 


The SMB and HML factors are chosen because history shows that returns are higher on 
smaller firms and those with high book-to-market values. Fama and French argue that 
these differences exist because small firms are inherently riskier than big firms. It is 
common knowledge that valuation levels when a trade is initiated have an impact on 
the ultimate outcome. 


In 1997, Mark Carhart added a momentum factor to the Fama and French model to 
yield a four-factor model.* In 2015, Fama and French themselves proposed adding 
factors for “robust minus weak” (RMW) that accounts for the strength of operating 
profitability and “conservative minus aggressive” (CMA) to adjust for the degree of 
conservatism in the way a firm invests.” The point is that the Fama-French three-factor 
model is not the only option, but it is a widely known version of a multifactor model. 


Consider an example applying the Fama-French three-factor model. A company has a 
beta relative to the market (By) of 0.85, an SMB factor sensitivity (Psp) of 1.65, and an 
HML factor sensitivity (Pym) of -0.25. The equity risk premium is 8.5%, the SMB 


factor is 2.5%, the HML factor is 1.75%, and the risk-free rate is 2.75%. Given this series 
of inputs, the expected return for this stock is computed as: 


E(R,) = Rp + B MRPm + BismeFsme + Binme * Si 
E(R,) = 0.0275 + 0.85(0.085) + 1.65(0.025) + —0.25(0.0175) + ¢= 0.1366 = 


13.66% 
Any return that is different from this calculated 13.66% is considered to be alpha (a). 
The source of this alpha could be company-specific risk (e;), or it could be that other 


factors need to be added to this multifactor model to better predict this stock’s future 
returns. 


2) MODULE QUIZ 6.2 

—* 1. What value is derived from adding more factors through a multifactor approach? 

A. All company-specific risk can be mitigated. 

B. The same variables can be added for every stock, which makes the process easy 
to implement. 

C. Calculations can be derived over multiple time periods because the factor betas 
remain static. 

D. A richer systematic relationship can be captured. 


2. Which of the following statements about correlation and diversification is correct 
with respect to multifactor models? 
A. Well-diversified portfolios hold constituent assets with high correlations. 
B. The use of well-diversified portfolios removes the need for multifactor models. 
C. The use of multiple assets with lower correlations makes the use of multifactor 
models more beneficial for analysts to consider. 
D. Well-diversified portfolios typically include assets from the same asset class. 


3. Which of the following statements relative to the use of multifactor models and 
hedging is incorrect? 
A. Multifactor models enable investors to hedge specific factor exposures. 
B. There are still no arbitrage opportunities, even when factoring in the granular 
exposures captured by multifactor models. 
C. Multifactor models potentially enable investors to eliminate all calculated factor 
exposures. 
D. The hedging process will most likely contain an element of model risk. 


4. Which factors are explicitly considered in the Fama-French three-factor model? 
A.A size factor. 
B. A momentum factor. 
C. A currency exposure factor. 
D. An operational robustness factor. 


KEY CONCEPTS 


LO 6.a 

The capital asset pricing model (CAPM) measures the expected return of a financial 
asset with respect to the broad market only. Arbitrage pricing theory (APT) is a type of 
multifactor model that expands upon the CAPM to consider any number of 
macroeconomic factors that may add additional explanatory power to the expected 
returns of a financial asset. There is not a set series of macroeconomic factors to 
consider, which presents analysts with a great deal of flexibility. APT also has simplified 
assumptions relative to the CAPM. 


LO 6.b 


The inputs in a multifactor model are a series of factors that influence the return ona 
stock. They include the expected return for the stock, a series of desired factors, anda 
beta for each factor. The factors are completely customizable by an analyst. 


LO 6.c 


A single-factor model will only consider the impact of one factor on a dependent 
variable (a stock’s return). This leaves the potential for either company-specific risk or 
uncaptured systematic risk to influence asset returns. A multifactor model enables 
analysts to better model the impact of all systematic risk exposures to improve 
forecasting ability. 


APT relies on well-diversified portfolios. Diversification is based on correlation 
between constituent assets held in a portfolio. When the assets are all sourced from the 
same asset class, correlations will be higher than if they are sourced from different 
asset classes. Therefore, a well-diversified portfolio will hold assets from different 
categories. This will result in a much broader pool of factors that could influence the 
systematic risk exposure of a given stock. Multifactor models are ideal for the need to 
monitor a diverse list of factors. 


LO 6.d 


Because multifactor models consider factor exposures on a very granular level, 
investors can use this approach for hedging. A specific factor exposure can be targeted 
for elimination, or all factor exposures can be targeted. Through the creation of a 
customized hedged portfolio that is scaled to the factor sensitivities of a specific 
portfolio, investors can potentially isolate arbitrage opportunities. 


LO 6.e 

Fama and French specified a three-factor model that includes the equity risk premium 
plus an adjustment for the size of the firm (SMB) and the firm’s valuation (HML). There 
have been other extensions of both the CAPM and the Fama-French three-factor model 
(e.g., a momentum factor). 


ANSWER KEY FOR MODULE QUIZZES 


Module Quiz 6.1 


1.B Arbitrage pricing theory uses a completely customizable group of variables. It 
explicitly mixes the return of the market with a collection of macroeconomic 
variables. As such, it offers more granular flexibility than CAPM. It also uses much 
fewer restrictive assumptions than CAPM. (LO 6.a) 


2.B Multifactor models include a series of factors and associated betas for each factor. 
The selection of factors is completely customizable with no constraints, and a 
beta factor can be positive or negative. In either instance, the beta factor will 
measure the relationship between the stock and the factor in question. (LO 6.b) 


Module Quiz 6.2 


1.D Adding multiple risk factors does not eliminate company-specific risk, which is 
also known as nondiversifiable risk. Each stock will use its own variables, so an 
analyst will need to source variables for each stock under review and periodically 
check (and maybe change) the factors deployed because the factors and the factor 


betas are dynamic over time. Adding multiple risk factors does enhance the 
discovery of systematic risk influence. (LO 6.c) 


2.C APT requires a well-diversified portfolio, which means that assets with lower 
correlations coming from different asset categories need to be included. This 
requirement will broaden the pool of influential factors and make a multifactor 
model a more attractive option. Using uncorrelated assets can lessen but not 
eliminate company-specific risk. (LO 6.c) 


3.B The use of multifactor models enables investors to focus on granular risk 
exposures. Investors can hedge a single exposure and retain the others. They can 
also potentially hedge all calculated risk exposures. This process could produce 
arbitrage opportunities given the right circumstances. Because this hedging 
process is based on the calculated model, there will always be an element of 
model risk. (LO 6.d) 


4.A The Fama-French three-factor model explicitly adjusts for size (SMB) and 
valuation (HML). Carhart added a momentum factor one year after Fama and 
French’s original work. Fama and French also added an operating profit measure 
and an investment conservatism factor in a very recent extension of their own 
work. (LO 6.e) 


1Steven Ross, “The Arbitrage Theory of Capital Asset Pricing,” Journal of Economic Theory 13, no. 3 (1976): 341- 
360. 


2N. Chen, R. Roll, and S. Ross, “Economic Forces and the Stock Market,” The Journal of Business 59, no. 3 (1986): 
383-403, http://www.jstor org/stable/2352710. 


3E, F. Fama and K. R. French, “Multifactor Explanations of Asset Pricing Anomalies,” The Journal of Finance 51, no. 
1 (1996): 55-84. 


4M. M. Carhart, “On Persistence in Mutual Fund Performance,” The Journal of Finance 52, no. 1 (1997): 57-82. 


5F, F. Fama and K. R. French, “A Five-Factor Asset Pricing Model.” Journal of Financial Economics 116, no. 1 (2015): 
1-22. 


The following is a review of the Foundations of Risk Management principles designed to address the learning 
objectives set forth by GARP®. Cross-reference to GARP FRM Part I Foundations of Risk Management, Chapter 7. 


READING 7 


PRINCIPLES FOR EFFECTIVE DATA 
AGGREGATION AND RISK REPORTING 


Study Session 2 


EXAM FOCUS 


This is a highly qualitative reading that explores the Basel Committee’s principles for 
effective risk data aggregation and risk reporting. Much of this reading is practical, in 
terms of the need for the data to be accurate, complete, timely, comprehensive, and 
adaptable. Governance principles are important, and the committee notes that risk data 
aggregation and reporting are expensive, and as a result, senior management and the 
board of directors should be fully invested in the process so that adequate resources 
are devoted to the effort. Risk reporting should also be accurate, comprehensive, clear, 
and useful. For the exam, understand how data aggregation principles interact and 
know that the committee implores banks to meet the requirements of each principle 
while still meeting the other principles. In other words, the bank should not put one 
principle ahead of another. 


MODULE 7.1: DATA QUALITY, GOVERNANCE, AND 
INFRASTRUCTURE 


LO 7.a: Explain the potential benefits of having effective risk data aggregation 
and reporting. 


According to the Basel Committee on Banking Supervision, risk data aggregation 
means “defining, gathering and processing risk data according to the bank’s risk 
reporting requirements to enable the bank to measure its performance against its risk 
tolerance/appetite.” The aggregation process includes breaking down, sorting, and 
merging data and datasets. Risk management reports should reflect risks in a reliable 
way. 


Several benefits accrue to banks that have effective risk data aggregation and reporting 
systems in place. These benefits include the following: 


= An increased ability to anticipate problems. Aggregated data allows risk managers to 
understand risks holistically. It is easier to see problems on the horizon when risks 
are viewed as a whole rather than in isolation. 


= In times of financial stress, effective risk data aggregation enhances a bank’s ability to 
identify routes to return to financial health. For example, a bank may be better able to 
identify a suitable merger partner in order to restore the bank’s financial viability. 


= Improved resolvability in the event of bank stress or failure. Regulatory authorities 
should have access to aggregated risk data to resolve issues related to the health and 
viability of banks. This is especially important for global systemically important 
banks (G-SIBs). 


= By strengthening a bank’s risk function, the bank is better able to make strategic 
decisions, increase efficiency, reduce the chance of loss, and ultimately increase 
profitability. 


CT PROFESSOR'S NOTE 

ê Banks and other organizations are increasingly dealing with “big data.’ Big 
data is data that is so large and complex that traditional data processing and 
analysis tools are inadequate. Data is also costly, and institutions must decide 
which data is worth the price. All data, big or small, must be processed and 
refined into usable information for risk assessment. Data analytics (e.g., 
artificial intelligence and machine learning) are improving and are being 
increasingly used for data collection and analysis. Banks that are able to 
capitalize on data analytics and use big data in decision-making may create a 
competitive advantage. 


LO 7.b: Explain challenges to the implementation of a strong risk data 
aggregation and reporting process and the potential impacts of using poor- 
quality data. 


Financial institutions use models for everything from analyzing risk exposures to 
guiding daily operations. Even small errors that occur in the model development 
process may result in serious consequences for a bank. Models rely on data, so data 
acquisition is an important component of model risk, specifically input risk. 


Model risks include 

= input risk, 

=a estimation risk, 

a valuation risk, and 

= hedging risk. 

Historically, bank data collection efforts were disjointed, with collections occurring at 
the department or business function level. Data was duplicated from different sources, 
neglected and destroyed (e.g.,, changing computer systems). Computer cards and tapes, 


then floppy disks and drives—with all being used, and one generation of storage device 
was not compatible with the next. 


In response to these perceived weaknesses, a special subcommittee of the Basel 
Committee on Banking Supervision (BCBS) was formed to examine the way banks 
collect, store, and analyze data. The committee concluded—and reported in a special 
report on risk management—that data quality was inadequate to aggregate and report 
risk exposures across bank lines of business. As a result, the committee published a set 
of 14 principles to assist banks in overhauling their data aggregation and reporting 
processes (BCBS 239). The goal of BCBS 239 is to enable banks to better measure 
performance against risk tolerances. The expectations put forth in BCBS 239 applies to 
data used in model development and is relevant to managing model risks. As a result of 
BCBS 239, there are more chief data officers in banks responsible for managing these 
risks. 


Model developers must demonstrate that the data used in model development is 
consistent with the theory and methodologies behind the model. Models must be vetted 
and validated. There is regulatory guidance for model developers. The Federal Reserve 
provides guidance to banks on effective model risk management. 


Standards must be consistent across departments. A bank may not understand its true 
risks if data is not standardized. For example, if there are different identification codes 
for customers across departments, the bank may not recognize its true exposure to a 
customer who has an auto loan, a mortgage loan, and a credit card. 


LO 7.c: Describe key governance principles related to risk data aggregation and 
risk reporting. 


LO 7.d: Describe characteristics of effective data architecture, IT infrastructure, 
and risk-reporting practices. 


During the global financial crisis that began in 2007, many banks were unable to 
quickly and accurately identify concentrations of risk across business lines and at the 
bank group level due, in part, to an inability to aggregate risk exposures and report 
bank-wide risks effectively. As part of the Basel Committee’s push for greater corporate 
governance, the committee issued supplemental Pillar 2 guidance regarding capital 
models and other key risk management models (e.g,, value at risk) to improve banks’ 
capabilities regarding the recognition and management of bank-wide risks. 


Banks are finding it difficult to comply with BCBS 239. Senior management and the 
board of directors must identify issues that are preventing effective risk data 
aggregation and risk reporting (RDARR) and remedy deficiencies. For example, before 
the financial crisis of 2007-2009, erroneous or fraudulent mortgage applications came 
in one at a time, introducing flawed data to the system. While the loan applications 
came in one at a time, the ultimate failure was global, based on all the fraudulent 
applications. Banks that have difficulty integrating data will also have difficulty 
meeting the Basel principles and requirements. 


Principle 1—Governance 


According to the committee, “a bank’s risk data aggregation capabilities and risk 
reporting practices should be subject to strong governance arrangements consistent 


with the other principles and guidance established by the Basel Committee.’ 


The governance principle suggests that risk data aggregation should be part of the 
bank’s overall risk management framework. To ensure that adequate resources are 
devoted to data aggregation and reporting, senior management should approve the 
framework before implementation. 


Data aggregation and risk reporting practices should be as follows: 
= Fully documented. 


=u Independently reviewed and validated by individuals with expertise in information 
technology (IT) and data and risk reporting functions. 


= Considered when the firm undergoes new initiatives, including new product 
development, acquisitions, and/or divestitures. As part of an acquisition, the bank 
should assess the risk data aggregation and reporting capabilities of the target firm 
and explicitly evaluate those capabilities when deciding whether to make the 
acquisition. In addition, a time frame should be established to integrate the risk data 
aggregation and reporting processes of the two firms. 


= Unaffected by the bank’s structure. Specifically, decisions regarding data aggregation 
and reporting should be independent of the bank’s physical location or geographical 
presence and/or legal organization. 

= A priority of senior management, who should support risk data aggregation and 
reporting processes with financial and human resources. Senior management should 
include risk data aggregation and reporting in strategic IT planning and ensure that 
the implementation of these processes is not impeded. 


= Supported by the board of directors, which should remain aware of the bank’s 
implementation of and compliance with the key governance principles set out by the 
Basel Committee. RDARR should be reviewed after mergers and acquisitions. 


IT systems are expensive, and risk aggregation and reporting systems require 
significant commitments of financial and human resources. Benefits from these 
investments are generally realized over the long term, not the short term. As the 
memories of the global financial crisis fade, banks may not give priority to the needed 
IT investment. The Basel Committee believes that the long-term benefits of improving 
risk aggregation and reporting processes will outweigh the banks’ investments. 


Principle 2—Data Architecture and Infrastructure 


According to the committee, “a bank should design, build and maintain data 
architecture and IT infrastructure which fully supports its risk data aggregation 
capabilities and risk reporting practices not only in normal times but also during times 
of stress or crisis, while still meeting the other Principles.” 


Principle 2, as referenced in Principle 1, implores the bank to devote financial and 
human resources to RDARR, both when the bank is financially sound and when the 
bank is struggling due to financial stresses. Principle 2 requires the following: 


= Risk data aggregation and reporting practices should be a part of the bank’s planning 
processes and subject to business impact analysis. 


= Banks establish integrated data classifications and architecture across the banking 
group. Multiple data models may be used as long as there are robust automated 
reconciliation measures in place. Data architecture should include information on 
data characteristics (metadata) and naming conventions for legal entities, 
counterparties, customers, and account data. 


a Accountability, roles, responsibilities, and ownership should be defined relative to 
the data. Adequate controls should be in place throughout the life cycle of the data 
for all aspects of the technology infrastructure. Risk managers, business managers, 
and/or IT functions are responsible for data, ensuring that it is entered correctly, is 
relevant and current, is aligned with data taxonomies, and is consistent with bank 
policies. 


Data models may be used to create information on data characteristics. The main data 
models (also called schemas) are as follows: 


= Semantic data models. These models structure data in a logical order and include 
semantic information such as the basic meaning of data and the relationships 
between data. 


= Conceptual data models. Conceptual models are the most abstract. These models 
map the concepts and relationships used in databases and confirm the way humans 
understand systems and system objectives. 


« Logical data models. Logical data models describe data in as much detail as 
possible. These models are not concerned with implementation. 


= Physical data models. The components required to build a database, such as the 
logical database components, are defined in a physical data model. The structure of a 
database table, including column names and values, primary and foreign keys, and 
relationships among tables, are included. Physical data models translate concepts and 
logical data into implementable data to be used in hardware/software system 
platforms. 


Banks that have an effective and compliant data architecture and IT infrastructure are 
better able to understand risks and make adjustments around changes in business 
activities. 


S MODULE QUIZ 7.1 
Z+ 1, Jeffrey Gibson, a bank supervisor with a national regulatory agency, has requested as 
part of a bank examination that Star Bank, a global systemically important bank (G- 
SIB), improve its aggregation and reporting of risk data. Star Bank has experienced 
significant losses resulting from multiple causes, ranging from poor lending decisions 
to bad decisions regarding the use of derivatives. The bank is now undercapitalized 
because of losses. Gibson refers Star Bank's risk managers to the Basel Committee's 
recommendations for effective risk data aggregation. He informs risk committee 
members and senior management that one of the potential direct benefits of 
effective risk data aggregation, particularly in light of Star Bank's current troubles, 
is: 
A. increased bank efficiency. 
B. more effective IT infrastructure. 
C. improved resolvability of bank problems. 


D. a clearer definition of the bank's risk appetite. 


2. Donna Grinstead is the risk management officer at Republic Bank. She is establishing 
governance principles for effective risk data aggregation. The bank has historically 
been lenient with respect to risk management processes, and Grinstead has been 
hired to remedy the situation. Which of the following statements regarding 
governance principles is false? 

A. The overall risk management framework of the bank should include risk data 
aggregation. 

B. Human and financial resources should be devoted to risk data aggregation, and 
thus senior management should approve the framework. 

C. A bank should have multiple sources for risk data for each type of risk to improve 
reliability. 

D. Risk data aggregation should be considered when the firm undergoes new 
initiatives, including acquisitions and divestitures. 


MODULE 7.2: RISK DATA AGGREGATION AND 
REPORTING CAPABILITIES 


Principle 3—Accuracy and Integrity 

According to the committee, “a bank should be able to generate accurate and reliable 
risk data to meet normal and stress/crisis reporting accuracy requirements. Data 
should be aggregated on a largely automated basis so as to minimize the probability of 
errors.” 


Principle 3 requires the following: 


= Data aggregation and reporting should be accurate and reliable. 


= Controls applied to risk data should be as robust as those surrounding accounting 
data. 


= To ensure the quality of the data, effective controls should be in place when the bank 
relies on manual processes and desktop applications such as spreadsheets and 
databases. 

= Data should be reconciled with other bank data, including accounting data, to ensure 
its accuracy. 


= A bank should endeavor to have a single authoritative source for risk data for each 
specific type of risk. 


= Risk personnel should have access to risk data to effectively aggregate, validate, 
reconcile, and report the data in risk reports. 
= The production of aggregate risk information should be timely. 


= Data should be defined consistently across the bank. The bank may maintain a 
dictionary of risk data concepts and terms. 


= While data should be aggregated on a largely automated basis to reduce the risk of 
errors, human intervention is appropriate when professional judgments are required. 
There should be balance between manual and automated risk management systems. 


= Bank supervisors expect banks to document manual and automated risk data 
aggregation systems and explain when there are manual workarounds, why the 
workarounds are critical to data accuracy, and propose actions to minimize the 
impact of manual workarounds. 


a Banks monitor the accuracy of risk data and establish plans to correct poor data 
quality. 


Principle 4—Completeness 


According to the committee, “a bank should be able to capture and aggregate all 
material risk data across the banking group. Data should be available by business line, 
legal entity, asset type, industry, region and other groupings, as relevant for the risk in 
question, that permit identifying and reporting risk exposures, concentrations and 
emerging risks.” 


Principle 4 requires the following: 


= Both on- and off-balance sheet risks should be aggregated. 


= Risk measures and aggregation methods should be clear and specific enough that 
senior managers and the board of directors can properly assess risk exposures. 
However, not all risks need to be expressed in the same metric. 


= Bank risk data should be complete. If risk data is not complete, the bank should 
identify and explain areas of incompleteness to bank supervisors. 


Principle 5—Timeliness 


According to the committee, “a bank should be able to generate aggregate and up-to- 
date risk data in a timely manner while also meeting the principles relating to accuracy 
and integrity, completeness and adaptability. The precise timing will depend upon the 
nature and potential volatility of the risk being measured as well as its criticality to the 
overall risk profile of the bank. The precise timing will also depend on the bank specific 
frequency requirements for risk management reporting, under both normal and 
stress/crisis situations, set based on the characteristics and overall risk profile of the 
bank.” 


Principle 5 requires the following: 


= Risk data aggregation should be timely and should meet all requirements for risk 
management reporting. Bank supervisors will review the timeliness and specific 
frequency requirements of bank risk data in normal and stress/crisis periods. 


= Systems should be in place to produce aggregated risk data quickly in stress/crisis 
situations for all critical risks. Critical risks include but are not limited to 


- aggregated credit exposures to large corporate borrowers; 
- counterparty credit risk exposures, including derivatives; 
- trading exposures, positions, and operating limits; 

- market concentrations by region and sector; 


- liquidity risk indicators; and 


